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Abstract 

We  show  that  a  type  system  based  on  the  intuitionistic  modal  logic  S4  provides  an  expressive 
framework  for  specifying  and  analyzing  computation  stages  in  the  context  of  typed  lambda-calculi 
and  functional  languages.  We  directly  demonstrate  the  sense  in  which  our  calculus  captures  staging, 
and  also  give  a  conservative  embedding  of  Nielson  &  Nielson’s  two-level  functional  language  in  our 
language,  thus  proving  that  binding-time  correctness  is  equivalent  to  modal  correctness.  In  addition, 
our  language  can  express  immediate  evaluation  and  sharing  of  code  across  multiple  stages,  thus 
supporting  run-time  code  generation  as  well  as  partial  evaluation. 
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1  Introduction 


Dividing  a  computation  into  separate  stages  is  a  common  informal  technique  for  the  derivation  of 
algorithms  [JS86].  For  example,  instead  of  directly  matching  strings  against  a  regular  expression 
we  may  first  compile  the  regular  expression  into  a  finite  automaton  and  then  execute  the  same 
automaton  on  different  strings.  Because  significant  efficiency  gains  can  often  be  realized,  there  is  a 
substantial  body  of  work  concerned  with  the  automation  of  staged  computation.  Partial  evaluation 
(see,  for  example,  [JGS93])  divides  the  computation  into  two  stages  based  on  the  early  availability 
of  some  function  arguments.  In  practice  this  appears  most  successful  when  supported  by  binding¬ 
time  analysis  [GJ91],  which  statically  determines  which  parts  of  a  computation  may  be  carried  out 
in  the  first  phase,  and  which  parts  remain  to  be  done  in  the  second  phase. 

It  often  takes  considerable  ingenuity  to  write  programs  in  such  a  way  that  they  exhibit  proper 
binding-time  separation,  that  is,  that  the  computation  intended  to  occur  when  the  early  arguments 
become  available  can  in  fact  be  carried  out.  From  a  programmer’s  point  of  view  it  is  therefore 
desirable  to  declare  the  expected  binding-time  separation  and  obtain  constructive  feedback  when 
the  computation  may  not  be  staged  as  expected.  This  suggests  that  the  binding-time  properties  of 
a  function  should  be  expressed  in  a  prescriptive  type  system,  and  that  binding-time  analysis  should 
be  a  form  of  type  checking.  The  work  on  two-level  functional  languages  [NN92]  and  some  work  on 
partial  evaluation  (for  example,  [GJ9l])  shows  that  this  view  is  indeed  possible. 

Up  to  now  these  type  systems  have  been  motivated  algorithmically,  that  is,  they  are  explicitly 
designed  to  support  specialization  of  a  function  to  its  early  arguments.  In  this  paper  we  show  that 
they  can  also  be  motivated  logically,  and  that  the  proper  logical  system  for  expressing  computation 
stages  is  the  intuitionistic  variant  of  the  modal  logic  S4  [Pra65].  This  observation  immediately  gives 
rise  to  a  natural  generalization  of  standard  binding-time  analysis  by  allowing  multiple  computation 
stages,  initiation  of  successor  stages,  and  sharing  of  code  across  multiple  stages.  Such  extensions 
are  normally  considered  external  issues.  For  example,  Jones  [Jon91]  describes  a  typed  framework 
for  such  concepts,  but  only  at  the  level  of  operations  on  whole  programs.  Our  framework  instead 
provides  these  operations  within  the  language  of  programs.  This  makes  our  approach  particularly 
relevant  to  run-time  code  generation,  where  specialization  takes  place  when  the  program  is  exe¬ 
cuted.  Indeed,  the  authors  and  others  have  designed  and  implemented  an  extension  of  ML  based 
on  the  type  system  described  here  which  generates  and  executes  abstract  machine  code  at  run 
time  [WLPD98,  WLP98]. 

One  of  our  conclusions  is  that  when  we  extend  the  Curry-Howard  isomorphism  between  proofs 
and  programs  from  intuitionistic  logic  to  the  intuitionistic  modal  logic  S4  we  obtain  a  natural  and 
logical  explanation  of  computation  stages.  The  isomorphism  relates  proofs  in  modal  logic  to  func¬ 
tional  programs  which  manipulate  program  fragments  for  later  stages.  Each  world  in  the  Kripke 
semantics  of  modal  logic  corresponds  to  a  stage  in  the  computation,  and  a  term  of  type  UA  corre¬ 
sponds  to  code  to  be  executed  in  a  future  stage  of  the  computation.  The  modal  restrictions  imposed 
on  terms  of  type  OA  guarantee  that  a  function  of  type  B  — t  DA  can  carry  out  all  computation 
concerned  with  its  argument  while  generating  the  residual  code  of  type  A. 

We  begin  by  considering  A^°,  a  modal  A-calculus  based  on  a  natural-deduction  formulation  of 
intuitionistic  modal  S4.  The  presentation  is  new,  but  draws  on  ideas  in  [BdP92,  PW95,  Gir93]. 

We  then  construct  a  functional  language  Mini-ML°  by  augmenting  A^°  with  a  fixpoint  oper¬ 
ator,  natural  numbers,  and  pairs  and  endow  it  with  a  natural  call-by-value  operational  semantics 
along  the  lines  of  Mini-ML  [CDDK86]. 

Mini-MLg  can  be  somewhat  awkward  because  it  often  requires  a  broad  syntactic  structuring  of 
the  program  to  directly  reflect  staging.  This  simplifies  the  study  of  staging  properties  of  Mini-ML°, 
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but  it  also  makes  it  difficult  to  directly  relate  it  to  previous  work  on  staged  languages,  such  as  two- 
level  languages  [NN92].  We  thus  consider  a  more  implicit  formulation  of  S4  motivated  by  its  Kripke 
semantics  following  [MM94,  PW95]  and  then  augment  it  as  before  to  form  Mini-ML°.  With  some 
syntactic  sugar,  Mini-ML°  is  intended  to  serve  as  the  basis  for  a  conservative  extension  of  ML 
with  practical  means  to  express  and  check  staging  of  computation.  The  operational  semantics 
of  Mini-ML*^  is  given  by  a  type-jireserving  translation  to  Mini-ML°  whose  correctness  is  not  en¬ 
tirely  trivial.  This  translation  also  describes  the  first  phase  of  a  plausible  compilation  strategy  for 
Mini-ML°  for  run-time  code  generation. 

We  then  exhibit  a  simple  full  and  faithful  embedding  of  Nielson  Sc  Nielson’s  two-level  lan¬ 
guage  [NN92]  in  Mini-ML°,  providing  further  evidence  that  Mini-ML°  provides  an  intuitively 
appealing,  technically  correct,  and  logically  motivated  view  of  staged  computation. 

2  A  Modal  A-Calculus 

In  this  section  we  present  the  modal  A-calculus  We  start  by  directly  motivating  the  calculus 
in  terms  of  manipulation  of  code  and  relate  this  to  modal  logic.  We  then  present  typing  rules 
based  on  a  natural  deduction  system  for  modal  S4,  give  (3  and  77  rules  for  the  modal  □  operator, 
and  show  that  they  satisfy  subject  reduction  and  expansion,  respectively.  We  also  demonstrate  the 
relationship  between  A^*^  and  computation  staging  via  two  theorems. 

2.1  Natural  Deduction  for  Validity 

A  common  feature  of  many  forms  of  staged  computation  is  the  manipulation  of  code.  Macro  ex¬ 
panders  and  partial  evaluators  typically  manipulate  source  expressions,  run-time  code  generators 
typically  manipulate  object  code  or  some  form  of  intermediate  code.  To  show  how  such  manipu¬ 
lation  of  code  may  be  accounted  for  in  a  typed  framework,  we  start  with  a  typed  A-calculus  and 
introduce  a  new  type  constructor  □,  where  UA  represents  code  of  type  A.  This  type  remains  ab¬ 
stract  in  the  sense  that  we  do  not  commit  ourselves  to  a  particular  way  of  implementing  it.  In  this 
way  our  type  system  can  support  diverse  applications. 

Next  we  have  to  decide  which  operations  should  be  supported  on  code.  First,  we  should  be 
able  to  manipulate  an  arbitrary  closed  expression  as  code.  This  suggests  a  constructor  box  where 
box  E  :  DA  if  E  :  A  in  the  empty  context.  This  is  essentially  the  modal  rule  of  necessitation.  The 
second  means  of  constructing  code  is  by  substitution',  we  can  substitute  code  for  a  free  variable 
appearing  in  code  to  obtain  code.  In  a  meaningful  type  system  such  substitution  must  be  “hy¬ 
gienic  and  rename  bound  variables  if  necessary  to  avoid  capture.  The  restriction  that  we  can  only 
substitute  code  (and  not  arbitrary  expressions)  into  code  is  reflected  exactly  in  one  of  Prawitz’s 
variants  of  the  modal  necessitation  rule  [Pra65]:  We  can  infer  that  box  E  :  DA  from  E  :  A  if  all 
hypotheses  of  the  latter  derivation  are  of  the  form  x  :  DB.  This  means  that  every  free  variable  x 
in  E  must  have  a  type  of  the  form  DB.  Prawitz’s  elimination  rule  allows  us  to  infer  A  from  DA. 
In  terms  of  the  functional  interpretation,  this  suggest  evaluation:  we  execute  the  code  of  type  A  to 
obtain  a  value  of  type  A. 

Unfortunately,  the  natural  deduction  formulation  of  modal  logic  based  on  these  two  rules  does 
not  obey  subject  reduction  (see  [PW95]  for  a  counterexample).  We  can  trace  the  difficulty  to  the 
global  side-condition  on  the  necessitation  rule  which  requires  assumptions  to  be  of  a  particular 
form.  If  we  express  this  condition  directly  on  the  level  of  the  judgments,  we  are  led  to  a  different 
system  which  does  satisfy  subject  reduction  and  other  properties  desirable  for  a  system  of  natural 
deduction.  To  this  end,  we  introduce  two  basic  judgments  on  propositions,  “A  is  true"  and  “A  is 
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valid”.  We  have  hypotheses  expressing  that  certain  proposition  are  true  and  others  are  valid.  We 
write 

to  express 

Under  the  hypothesis  that  Ai^.  . Am  are  valid  and  Bi,  ..i  ,Bn  are  true,  C  is  true.  ’■  ' 

Since  our  main  goal  is  the  analysis  of  the  Curry-Howard  isomorphism  between  proofs  and  programs, 
we  label  the  hypotheses  and  annotate  C  with  a  proof  term  E. 

(^Ui'.Ai,  •  •  • ,  Um-Am)]  (^^I'Bi,  •  •  • )  ^n‘Bn)  ^  E  .  C 

Here  and  throughout  this  paper,  we  presuppose  that  that  all  variables  labelling  hypotheses  are 
distinct. 

Taking  the  functional  view  for  a  moment,  we  think  of  Ui, . .  .,Um.  as  variables  ranging  over  code 
and  xi, . . .,  as  variables  ranging  over  values  which  may  occur  free  in  the  expression  E.  Generally, 
we  write  A  for  a  context  Ui'.Ai, . . .,  Um'Am  declaring  modal  variables  u  (also  called  code  variables) 
and  r  for  a  context  Xi'.Bi, .  ..,Xn.Bn  declaring  ordinary  variables  x  (also  called  value  variables). 

But  how  do  we  conclude  that  A  is  valid?  In  informal  terms,  A  is  valid  if  it  is  true  under  all 
possible  interpretations.  In  other  words,  its  derivation  may  not  depend  on  any  hypotheses  about 
the  truth  of  propositions.  That  is,  we  judge  that  C  is  valid  under  the  hypothesis  that  Ai  ,  .  .  .  ,  Aqrn 
are  valid  if 

or,  with  proof  terms, 

{uiiAi^ ...  5  •  h  £/  : 

With  respect  to  our  functional  interpretation,  this  means  that  E  contains  only  free  code  variables, 
but  no  free  value  variables. 

We  now  develop  the  inference  rules  characterizing  the  judgments  and  then  introduce  the  logical 

connectives.  First  we  have  ^  ^ 

x:A  in  r 

- ovar 

A;rPa::A 

since  we  can  conclude  that  A  is  true  from  the  hypothesis  that  A  is  true.  But  it  is  certainly  also  the 
case  that  A  is  true  if  A  is  valid. 

u:A  in  A 

- mvar 

A;rPiz:A 

The  transition  from  a  judgment  of  validity  to  that  of  truth  corresponds  on  the  functional  side  to  a 
transition  from  code  to  value.  We  will  use  this  later  to  encode  evaluation. 

Second,  we  consider  the  substitution  principles  which  are  derived  from  the  nature  of  the  hypo¬ 
thetical  judgments.  In  purely  logical  terms:  if  we  have  a  derivation  showing  that  C  is  true  from 
the  hypothesis  that  A  is  true,  then  we  can  substitute  an  actual  derivation  establishing  the  truth 
of  A  for  all  uses  of  the  hypothesis.  This  results  in  a  derivation  for  the  truth  of  C  which  no  longer 
depends  on  the  hypothesis.  With  proof  terms,  the  substitution  principle  for  ordinary  hypotheses 
reads: 

Ordinary  Substitution  Principle 

// A;  r  P  F;i  :  A  and  A;  (F,  x:A,  F')  P  ^2  :  S  then  A;  (F,  F')  P  [Ei/x]E2  :  B. 
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Similarly,  we  should  be  able  to  substitute  a  derivation  demonstrating  the  validity  of  A  for  all 
uses  of  the  hypothesis  that  A  is  valid. 

Modal  Substitution  Principle 

I/A;-h^  El  :A  and  (A,  u:A,  A');  T  P  E2  :  B  then  (A,  A');  T  P  [Ei/u]E2  :  B. 

It  is  critical  here  that  A  is  valid  and  not  just  true,  which  should  be  obvious  from  what  is  said 
above.  Therefore,  we  must  require  A;  •  P  ^  rather  than  just  A;  T  P  :  A  (which  would  be 
unsound). 

Eventually,  when  our  system  is  complete,  we  have  to  prove  the  validity  of  the  two  substitution 
principles  to  verify  that  there  is  no  mistake  in  the  design  of  our  rules.  Similar  guiding  properties 
of  hypothetical  judgments  are  exchange  (the  order  of  hypotheses  should  not  matter),  weakening 
(hypotheses  need  not  be  used)  and  contraction  (hypotheses  may  be  used  more  than  once).  All  of 
these  are  proved  in  Section  2.4. 

The  next  step  is  to  introduce  the  logical  connectives  and  operators.  In  natural  deduction,  these 
are  characterized  by  introduction  and  elimination  rules  which  must  match  in  an  appropriate  way. 
One  of  the  underlying  principles  of  natural  deduction  is  that  connectives  should  be  orthogonal  to 
each  other;  each  introduction  or  elimination  rule  should  refer  only  to  the  connective  whose  meaning 
we  define. 

We  first  discuss  this  using  the  familiar  implication  (or  function  type,  under  the  Curry-Howard 
corrspondence).  We  want  to  express  that  A  —¥  B  should  be  true  if  B  is  true  under  the  hypothesis 
that  A  is  true. 

A;(r,a;:A)PB:B 


A;T  ^  Xx:A.  E  :  A B 

Note  that  A  is  not  affected  validity  does  not  enter  the  considerations  for  this  connective.  On 
proof  terms,  this  rule  explicitly  introduces  the  function  which  maps  proofs  of  A  to  proofs  of  B. 

Conversely,  if  we  know  that  A  — >■  B  is  true  then  B  should  be  true  under  hypothesis  A.  So  if  we 
also  know  that  A  is  true,  we  can  conclude  that  B  must  be  true. 

A;  r  P  B2  :  A  ^  B  A;  T  P  Bi  :  A 

A;rP£'2Bi:B 

On  proof  terms,  this  applies  the  function  E2  which  maps  proofs  of  A  to  proofs  of  B  to  the  given 
proof  El  of  A. 

How  do  we  know  the  introduction  and  elimination  rules  match  and  thus  define  a  meaningful 
connective?  We  should  verify  two  conditions:  local  soundness  and  local  completeness.  Local  sound¬ 
ness  ensures  that  we  cannot  gain  information  by  introducing  a  connective  and  then  immediately 
eliminating  it  we  must  already  be  able  to  make  the  same  judgment  without  the  detour.  This 
guarantees  that  the  elimination  rules  are  not  too  strong.  Local  completness  ensures  that  we  can 
recover  all  information  present  in  a  connective:  there  is  some  way  to  apply  the  elimination  rules  so 
we  can  reconstitute  a  proof  of  the  original  proposition  using  its  introduction  rules.  This  guarantees 
that  the  elimination  rules  are  not  too  weak. 

On  proof  terms,  local  soundness  and  completeness  are  witnessed  by  local  reduction  and  expan¬ 
sion,  taking  advantage  of  the  substitution  principles. 


V2 

A;r,a;:AK  B2  :  B 


A;  r  K  (Aa;:A.  £'2)  :  A  ->•  B  A; 

A;rP  (Aa;:A.£2)^i  :B 


Vi 

A;  r  K  £1  :  A  ' 


A;rP  [£i/a:]£2  :B 
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Here,  V'^  is  constructed  by  substitution  of  X>i  into  Z>2,  as  indicated  in  the  discussion  of  the 
(ordinary)  substitution  principle.  On  proof  terms  we  have  ordinary  /^-reduction.  Local  completeness 
is  witnessed  by  j^-expansion. 


V  ■ 
E.A^B 


V  _ 

A\V,x:A\^E:A^B  A;r,a;:APa;: 

l^-V,x:A\^  Ex:  B 

{\x:A.Ex):A^B^ 


—  ovar 
A 

-4'E' 


Here,  V'  is  constructed  by  weakening  from  V  (we  add  the  unused  hypothesis  x:A),  which  has 
no  effect  on  the  proof  term  E.  On  proof  terms,  therefore,  we  have  ordinary  7/-expansion. 

Next  we  consider  the  modal  operator.  HA  should  be  true  if  A  is  valid.  Written  as  an  inference 
rule: 

A;  •  P  L;  :  A 


A;rP  box£; :  OA 


□  I 


Note  how  the  premise  enforces  that  A  is  valid  by  requiring  the  ordinary  context  to  be  empty. 
On  proof  terms  this  means  that  only  modal  variables  from  A  can  occur  free  in  E. 

The  corresponding  elimination  is  not  straightforward.  For  example,  Prawitz’s  rule  from  above 
which  concludes  A  from  OA  is  locally  sound  but  not  complete.  Intuitively,  this  should  be  clear 
because  we  are  losing  information  when  we  make  the  step  from  “DA  is  true'’’  to  “A  is  true” .  An 
alternative  rule  which  concludes  “A  is  valid”  from  “DA  is  true”  is  unsound,  because  the  judgment 
that  DA  is  true  may  actually  depend  on  hypotheses  about  the  truth  of  other  propositions. 

Instead  we  reason  as  follows:  if  DA  is  true  under  some  hypotheses,  then  any  judgment  we  make 
under  the  additional  hypothesis  that  A  is  valid,  must  in  fact  be  evident. 


A;rP.Ei:nA  (A, 'u:A);  P  P  £'2  :  B 

- dE 

A;  r  P  let  box  u  =  Ei'no.  E2:  B 


Thus  the  elimination  rule  for  □  introduces  a  modal  hypothesis  and  the  corresponding  term 
construct  has  the  form  of  a  let.  From  the  functional  point  of  view,  Ei  represents  a  value  of 
type  DA  containing  some  code.  This  code  is  accessible  in  £2  with  the  name  u.  Local  soundness 
and  completeness  with  this  construction  are  easily  verified.  Local  soundness  is  guaranteed  by  the 
reduction 


A;  •  P  £1  :  A  ^ 

- □!  ^2 

A;rPbox£i:nA  (A, 'it:A);  F  P  £2  :  £ 

- OE 

A;  r  P  let  box  u  =  box  £1  in  £2  :  £ 


A;rP  [£i/«]£2:£ 


where  X>2  is  the  derivation  constructed  by  substitution  as  indicated  in  the  modal  substitution 
principle. 

The  expansion  below  demonstrates  local  completness,  since  the  result  of  the  elimination  rule 
applied  to  a  derivation  of  OA  contains  enough  information  to  reconstitute  a  derivation  of  OA. 


V 

A;rP  £  :  DA 


- mvar 

^  (A,  u:A);  •  P  m  :  A 

^  - □! 

A;  r  P  £  :  □  A  (A,  u:A) ;  F  P  box  w  :  □  A 

- OE 

A;  F  P  let  box  u  =  £  in  box  u  :  OA 


6 


Other  standard  logical  connectives  such  as  negation,  conjunction,  disjunction,  universal  and 
existential  quantification  can  be  defined  by  introduction  and  elimination  rules  in  a  similar  manner 
to  implication  they  do  not  need  to  directly  interact  with  the  modal  hypotheses.  Since  we  are  in 
the  intuitionistic  setting,  the  modal  possibility  operator  OA  cannot  be  defined  via  negation.  It 
can  be  characterized  directly  by  introduction  and  elimination  rules  which  are  locally  sound  and 
complete,' buf  only  if  we  introduce  a  new  judgment  “A  is  possibly  true" .  We  leave  the  details  to  a 
future  paper,  since  it  does  not  directly  concern  our  main  objective  here. 

Our  presentation  simplifies  that  of  the  modal  A-calculus  from  [BdP92,  PW95]  by  elim¬ 
inating  the  need  for  simultaneous  substitution  while  preserving  subject  reduction.  It  is  inspired 
by  sequent  calculi  proposed  by  Andreoli  [And92]  for  linear  logic  and  by  Girard  [Gir93]  for  LU. 
Wadler  [Wad93]  has  formulated  a  linear  A-calculus  with  two  contexts,  which  shares  some  features 
with  our  calculus.  The  methodolgy  we  followed  is  due  to  Martin-L6f  [ML85a,  ML85b],  although  we 
have  not  seen  the  normative  use  of  local  soundness  and  completeness  as  witnessed  by  ^-reduction 
and  ??-expansion.  Note  that  only  ^-reduction  has  computational  significance,  while  7;-expansion 
internalizes  an  extensionality  principle. 

The  elimination  construct  for  □  allows  us  to  bind  a  variable  "U  in  A  to  code  of  type  A,  written 

as  let  box  u  =  Ex  vaE2.  Evaluation  of  code,  certainly  one  of  the  most  fundamental  operations,  is 
then  definable  by 

eval  =  (Aa;:DA.  let  box  u  —  x  in  u)  :  DA  —¥  A. 

Here,  and  from  now  on,  we  associate  □  more  strongly  than  to  avoid  excessive  parentheses.  Note 
that  the  opposite  coercion,  Aa;: A.  box  x,  cannot  be  well-typed,  since  x  is  an  arbitrary  argument  and 
will  not  necessarily  be  bound  to  code.  Furthermore,  it  violates  the  concept  of  stage  separation  since 
a:  is  an  “early”  argument  which  we  refer  to  “late”,  that  is,  inside  box.  Here  are  a  few  other  examples 
of  modal  propositions  and  proofs  from  which  the  natural  deductions  can  be  easily  reconstructed. 

K  Aa;:D(A  — >  B).  Aj/:nA.  let  box  u  =  x  in  let  box  v  =  y  in  box  (u  v) 

:  □(A  B)  (DA  ->  DB) 

P  Aa;:DA.  let  box  u  =  ar  in  box  box  u 
:  DA  nOA 

P  Aa;:DA.  let  box  u  =  x  in  u 
:DA^  A 

Note  that  the  first  law  holds  in  all  modal  logics,  while  the  second  and  third  correspond  to  reflexivity 
and  transitivity  of  the  accessibility  relation  between  worlds  in  the  Kripke  semantics  [Kri63]  in 
axiomatic  formulations  of  modal  logics. 

2.2  Syntax 

We  now  summarize  the  system  of  natural  deduction  for  S4  and  its  properties. 

Types  A  ::=  Ai  A2  |  DA 

Terms  E  :;=  x  |  Ax:A.  E  |  Ei  £'2  | 

u  I  box  E  I  let  box  u  =  Ex  in  E2 
Ordinary  Contexts  P  ::=  •  |  F,  x:A 

Modal  Contexts  A  ::=  •  j  A,  u:A 

We  use  A,  B  for  types,  x  for  ordinary  variables  and  u  for  modal  variables  assuming  that  any 
variable  can  be  declared  at  most  once  in  a  context.  Bound  variables  may  be  renamed  tacitly,  and 
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leading  -’s  may  be  omitted  from  contexts.  We  write  [E' /x\E  (and  similarly  for  modal  variables)  for 
the  result  of  substituting  E'  for  x  m  E,  renaming  bound  variables  as  necessary  in  order  to  avoid 
the  capture  of  free  variables  in  E' . 

2.3  Typing  Rules 

A;  r  P  :  A  E  has  type  A  in  modal  context  A  and  ordinary  context  F. 

Our  system  has  the  property  that  a  valid  term  has  a  unique  type  and  typing  derivation,  except 
for  possibly  unused  hypotheses. 

A-calculus  Fragment 


x:A  in  F 

- ovar 

A;FPa;:A 

A;(F,a::A)  E  :  B 
A;r  Xx:A.  E  :  A B 

A;  F  P  :  5  A  A;  F  P  .^2  :  -B 
A-,rF  El  E2:  A 


Modal  Fragment 


u:A  in  A 

- mvar 

A;FP«:A 

A;-PJ5:A 

- □! 

A;FP  boxE:  DA 

A;FP£;i:nA  (A,  u:A);  F  P  £^2  :  B 

- DE 

A;  F  P  let  box  m  =  in  £^2  •  B 

2.4  Reduction  and  Expansion 

The  notions  of  /3-reduction  and  7;-expansion  are  fundamental  to  the  A-calculus.  The  preservation  of 
types  under  /^-reduction  is  the  functional  analog  of  local  soundness  for  rules  of  natural  deduction; 
the  preservation  of  types  under  ?7-expansion  is  the  functional  analog  of  local  completeness.  But  first 
we  need  to  verify  the  characteristic  properties  of  hypothetical  judgments:  exchange,  weakening, 
contraction,  and  substitution. 

Lemma  1  (Structural  Properties  of  Contexts) 

1.  If  (Ai,  u:A,  v:B,  A2);  F  P  £/ :  C  then  (Ai,  u:B,  u:A,  A2);  F  E  :C. 

2.  If  A;  (Fi,  x:A,  y:B,  F2)  P  E  :  C  then  A;  (Fi,  y:B,  x:A,  F2)  P  B  :  C. 


8 


3.  //  A;  r  P  £■ :  C  then  (A,  m:A);  F  E-.C. 

4.  If  A;r^  E:C  then  A;  {T,x:A)^  E:C. 

5.  If  (A,  w:A,  v:A);  E:C  then  (A,  w;:A);  F  P  [w/u][w/v]E :  C. 

6.  If  A;  (F,  x:A,  y:A)  ^e':C  then  A;  (F,  z:A)  P  \_zlx\zly\E  :  C. 

Proof:  By  straightforward  inductions  over  the  structure  of  the  given  derivations.  Recall  the  global 
assumption  that  each  variable  is  declared  at  most  once  in  a  context,  and  that  bound  variables  may 
be  renamed  tacitly.  □ 

Lemma  2  (Substitution) 

1.  //  A;  F  P  :  A  and  A;  (F,  x:A,  F')  P  E2  :  B  then  A;  (F,  F')  P  [Ei/x]E2  :  B. 

2.  7/ A;  •  P  :  A  and  (A,  u:A,  A');  F  P  B2  :  B  then  (A,  A');  F  P  [Ei/u]E2  :  B. 

Proof:  By  straightforward  inductions  on  the  typing  derivations  for  E2.  □ 

The  /?-reductions  and  7/-expansions  on  proof  terms  used  in  the  preceding  section  to  verify  local 
soundness  and  completeness  are  summarized  below. 

{\x:A.  Ef)  El  1-^  \Ei/ x'\E2 
let  box  u  =  box  Ei  in  E2  i-A-  [Ei/u]E2 

E:A^B  Xx-.A.Ex 

E  :  DA  let  box  u  =  E  in  box  u 

We  now  validate  these  rules  by  showing  that  they  satisfy  subject  reduction. 

Theorem  3  (Subject  Reduction  and  Expansion) 

1.  If  A^r  ^  E  :  A  and  E  E' then  A;T  E' :  A. 

2.  7/ A;  F  P  B  :  A  and  B  :  ^  B'  then  A;  F  P  B'  :  A. 

Proof:  In  the  case  of  a  reduction  we  first  apply  inversion  and  then  use  the  substitution  properties 
to  obtain  the  result.  In  the  case  of  an  expansion  we  directly  construct  the  typing  derivation  for  the 
expanded  term.  ^ 

We  will  not  discuss  commuting  conversions  for  the  DE  rule  here,  since  they  are  not  particu¬ 
larly  relevant  to  our  intended  application.  Similarly,  we  will  not  present  a  formal  proof  of  strong 
normalization,  although  this  is  easy  to  obtain  by  an  embedding  into  the  ordinary  simply- typed 
A-calculus. 
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2.5  Staged  Computation 

We  now  show  the  relationship  between  and  staged  computation.  It  is  our  intention  that  those 
parts  of  a  term  enclosed  by  a  box  constructor  should  be  considered  “uninterpreted  code”.  Thus, 
when  we  construct  a  computational  interpretation  of  based  on  /^-reduction,  it  is  appropriate 
to  omit  the  congruence  rule  for  box.  We  have  the  judgment: 


E  I — >  E  reduces  to  E^ 

This  judgment  is  defined  by  the  following  rules. 


- y  ^ 

{\x:A,  E2)Ei  ^  [Ei/x]E2 


- ^ - ap 

let  box  u  =  box  Ei  in  E2  « — >  [Ei/u\E2 

E^E'  . 

- ^ - congJam 

Xx:A,  E  I — >  Xx:A,  E' 

Er^E[ 

- cong_appl 

E1E2  I — y  £/j£/2 

E2  ' — y  E2 

- - cong-app2 

E1E2  * — y  E1E2 

El  ^  E[ 

- cong  Jetboxl 

let  box  u  ^  Eiin  E2  « — y  let  box  u  =  E[  in  E2 

E2^E^2 

- - cong  Jetbox2 

let  box  u  =  El  in  E2  ' — y  let  box  u  =  Eiin  E2 


We  write  1 — for  the  reflexive  and  transitive  closure  of  \ — y. 

Theorem  4  (Subject  Reduction  with  Congruences) 

//A;rp^:  A  and  E  E^  then  A;T  ^  E' :  A. 

Proof:  By  a  simple  induction  on  the  derivation  of  E  1 — y*  E\  using  subject  reduction  (Theorem  3) 
for  the  base  cases.  □ 

To  demonstrate  the  relationship  between  this  reduction  relation  and  computation  staging,  we 
roughly  follow  the  binding-time  correctness  criteria  described  by  Palsberg  [Pal93].  Palsberg  pre¬ 
sented  a  modular  proof  of  correctness  for  binding-time  analyses  based  on  two-level  languages,  such 
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as  those  studied  in  [GJ91].  The  first  criterion  is  consistency,  namely  that  static  reduction  of  a 
well-annotated  term  cannot  “go  wrong”.  In  our  case,  well-annotated  means  well-typed,  and  the 
above  subject  reduction  theorem  corresponds  roughly  to  the  property  of  not  “going  wrong”.  To 
make  the  correspondence  more  evident,  we  can  simply  note  that  a  well-typed  term  cannot  contain 
the  “wrong”  forms  (box  £[)  and  let  box  u  =  {Xx:A.  E[)  in  E'^. 

The  second  criterion  for  binding-time  correctnesses  that  when  a  stage' is  complete,  ho  subterm 
occurrences  that  are  marked  as  eliminable  remain.  In  our  case,  the  subterm  occurrences  in  the 
scope  of  a  box  constructor  are  code  to  be  executed  at  a  later  stage  and  are  therefore  considered 
persistent-,  all  other  term  occurrences  are  considered  eliminable.  Completing  a  stage  means  reducing 
a  term  until  it  can  not  be  further  reduced  by  the  rules  of  the  judgment  E  i — ^  E'.  We  call  such 
terms  irreducible  to  avoid  confusion  with  subtly  different  notions  such  as  head-normal  form  or  weak 
head-normal  form.  Note  that  an  irreducible  term  could  still  contain  a  “redex”  in  the  traditional 
sense  underneath  a  box  constructor.  Since  we  only  evaluate  closed  terms,  the  following  theorem 
expresses  that  our  language  satisfies  the  second  critierion  for  binding-time  correctness. 

Theorem  5  (Eliminability)  //  •;  •  K  E  :  DA  and  E  E'  and  E'  is  irreducible,  then  E' 
contains  no  eliminable  term  occurrences. 

Proof:  By  subject  reduction,  --PE':  DA.  By  inversion,  and  the  fact  that  E'  is  irreducible,  E' 
must  have  the  form  box  Eq  for  some  Eq.  Therefore  all  subterm  occurrences  in  E'  are  in  the  scope 
of  a  box  constructor  and  hence  persistent.  □ 

Thus,  it  appears  that  Palsberg  s  two  properties  both  follow  relatively  easily  from  subject  re¬ 
duction  for  However,  there  is  still  more  to  consider,  because  it  is  possible  that  eliminable 

subterms  could  reduce  to  persistent  terms.  This  is  ruled  out  syntactically  in  the  two-level  language 
studied  by  Palsberg,  but  in  our  case  we  need  to  show  this  explicitly.  To  argue  about  “images  under 
reduction”  we  temporarily  extend  with  labels. 


Terms  E  ::=  ■  ■  •\E^ 


Labels  have  no  impact  on  typing  and  can  be  reduced  away. 

A;  r  P  E  :  A 

- ; - LB 

A;  r  P  A 


— ; - -  unlabel 

E^^E 

Recall  that  there  is  no  congruence  rule  for  box  so  that  the  rule  unlabel  can  not  be  applied  to  a 
label  in  the  scope  of  a  box  constructor. 

Now  suppose  El  and  £’2  differ  only  in  that  some  subterms  of  Ei  have  been  labelled  in  £2-  Then 
typing  and  reduction  correspond  between  £1  and  £2.  That  is,  A;  P  P  £1  :  A  iflF  A;  P  P  £2  :  A,  and 
^  ^2  '  ^  E2  where  £(  and  £2  differ  only  in  their  labelling.  This  allows  us  to  trace 

the  “images  under  reduction”  of  eliminable  parts  of  an  unlabelled  term  by  labelling  all  persistent 
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subterm  occurrences.  The  following  theorem  then  expresses  that  only  persistent  parts  of  a  term 
can  yield  persistent  images.  Here,  for  every  subterm  occurrence  of  the  form  E\  both  E  and  E^  are 
considered  to  be  labelled  with  L  No  other  subterm  occurrences  are  considered  labelled. 

Theorem  6  (Persistence)  If  A;T  ^  E  :  all  persistent  subterm  occurrences  of  E  are  labelled 

with  I,  and  E  — y  E^^  then  all  persistent  subterm  occurrences  of  E'  are  labelled  with  1. 

Proof:  By  induction  on  the  derivation  of  E  \ — Y 
Case: 

- ^ - Yjl 

[\x:A,  E2)Ei  ^  [Ei/x]E2 

The  result  follows  because  the  modal  restriction  in  the  typing  rules  does  not  allow  x  to  appear  in 
£*2  in  a  position  enclosed  by  a  box  constructor.  Formally,  this  case  requires  an  auxiliary  induction 
on  £2- 
Case: 

- : - , 

let  box  u  =  box  £1  in  £2  • — Y  [Ei/u]E2 

The  result  follows  because  every  subterm  in  £1  is  labelled  with  1. 

Case: 

£2  ^£2 

- - congJetbox2 

let  box  u  =  El  \n  £2  1 — Y  let  box  u  —  Eiin  £2 

The  result  follows  immediately  by  the  induction  hypothesis. 

The  other  congruence  cases  are  similar.  If  there  were  a  congruence  for  box,  that  case  would 

fail. 

Case: 

- unlabel 

The  result  is  immediate,  since  £  is  not  enclosed  by  box  and  therefore  not  persistent. 

□ 

Interpreted  as  a  statement  about  code  manipulation  during  evaluation,  this  theorems  says  that 
we  can  never  construct  code  from  terms  which  were  not  originally  code.  This  is  one  of  the  essential 
properties  of  which  makes  it  a  suitable  basis  for  languages  allowing  explicit  code  manipulation. 

There  is  a  dual  property  to  persistence  which  is  also  enforced  syntactically  in  the  languages 
studied  by  Palsberg,  namely  that  the  eliminable  parts  of  terms  in  the  result  of  reduction  only 
appear  as  the  images  of  the  eliminable  parts  of  the  original  term.  It  is  an  important  aspect  of 
is  that  it  does  not  have  this  property,  as  shown  by  the  counterexample: 

let  box  u  =  box  E  inu  1 — Y  E 

E  appears  in  a  persistent  (or  code)  position  on  the  left,  but  in  an  eliminable  (or  value)  position 
on  the  right.  From  the  point  of  view  of  code  manipulation  it  is  easy  to  explain  why  this  is  allowed. 
In  the  languages  we  are  interested  in,  the  code  representation  for  £  can  be  evaluated  to  return  a 
value  for  £,  which  stands  in  constrast  to  the  languages  studied  by  Palsberg. 


12 


Evaluation  of  code  is  expressed  in  by  occurrences  of  code  variables  u  which  are  not  enclosed 
by  a  box  constructor.  From  a  logical  point  of  view,  such  instances  correspond  exactly  to  proofs 
which  depend  on  the  reflexivity  of  the  Kripke  reachability  relation  for  modal  S4.  If  we  modify 
the  rules  to  disallow  such  instances,  we  obtain  the  modal  logic  K4  and  a  corresponding  modal 
A-calculus  which  is  somewhat  closer  to  the  two-level  languages  studied  by  Palsberg.  If  we  also 
remove  the  transitivity  of  reachability  from  J'fd,  we  obtaiii  the  mddal  logid  Jl'  and  a  corresponding 
modal  A-calculus  which  removes  another  feature  of  A^°  that  is  not  present  in  two-level  languages, 
namely  the  ability  to  substitute  code  directly  into  code  which  is  itself  part  of  a  code  expression.  So 
the  following  function  from  Aj^'^  would  no  longer  be  well- typed. 

{Xx-.UA.  let  box  u  =  box  E  in  box  box  u)  ■.UA-^UUA 

Allowing  this  feature  in  A^*^  seems  reasonable  and  useful,  though  perhaps  not  as  important 
as  the  inclusion  of  evaluation  of  code.  We  will  come  baek  to  languages  based  on  modal  K  later 
in  Section  6,  where  we  will  briefly  explain  an  exact  correspondence  between  such  languages  and 
multi-level  generalizations  of  two-level  languages. 

3  Modal  Mini- ML:  Explicit  Formulation 

This  section  presents  Mini-ML°,  a  language  that  combines  some  elements  of  Mini-ML  [CDDK86] 
with  the  A;^°-calculus  of  the  previous  section.  For  the  sake  of  simplicity  Mini-ML°  is  explicitly 
typed.  ML-style  or  explicit  polymorphism  can  also  be  added  in  a  straightforward  manner;  we  omit 
the  details  here  in  order  to  concentrate  on  the  essential  issues. 

We  present  an  operational  semantics  for  the  language,  and  demonstrate  some  basic  properties 
such  as  type  preservation.  We  also  demonstrate  the  strong  staging  properties  of  the  language. 
In  the  description  of  the  operational  semantics  we  choose  the  usual  device  of  representing  values 
(including  code)  by  corresponding  source  expressions.  This  may  be  refined  in  different  ways  for 
lower-level  semantics  describing,  for  example,  run-time  code  generation  or  partial  evaluation. 

3.1  Syntax 


Types  A 

Terms  E 


Ordinary  Contexts  F 
Modal  Contexts  A 


nat  I  Ai  A2  I  Ai  X  ^2  I  1  I  DA 
X  I  \x:A.  E  \E1E2 
I  u  I  box  E  I  let  box  u  =  Ei  in  E2 
I  {Ei,E2)  |fst£:|snd.E 
10 

I  z  I  s  £  I  (case  Ei  of  z  =i-  E2  I  s  x  E3) 
I  fix  x:A.  E 
•|r,x:A 
•  I  A,  u:A 


This  language  extends  the  one  in  the  previous  section,  and  we  continue  to  use  the  conventions 
introduced  in  that  section. 


3.2  Typing  Rules 

Our  typing  rules  for  the  Mini-ML  fragment  of  the  explicit  language  are  completely  standard,  and 
we  follow  the  previous  section  for  the  modal  fragment. 
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A;  r  P  £■ :  E  has  type  A  in  modal  context  A  and  ordinary  context  F. 


Functions 


Code 


Products 


x:A  in  F 
A;T  F  x:A 


tpe.ovar 


A-,{T,x:A)^  E:  B 
A;  F’F  Xx:A.  E:A^B 


tpeJam 


A;FPFi:B-^A  A^Th^EiiB 
A;  F  P  £^1  ^2  :  ^ 


tpe-app 


u:A  in  A 
A:  F  P  u  :  A 


tpe_mvar 


A;-PF:  A 
A;  F  P  box  E  :  a  A 


tpe_box 


A;FPj&i:aA  (A,  w:A);  F  P  F2  :  B 
A;  F  P  let  box  u  =  Ei  in  E2  :  B 


tpe_let_box 


AiFPFirAi  A;FPF2:A2 

A;FP(£’i,£2):Ai  X  A2 


tpe_pair 


A;FPF:  Ai  x  A2 
A;  F  P  fst  F  :  Ai 


tpe.fst 


A;FPF:  Ai  X  A2 
A;  F  P  snd  E  :  A2 


tpe_snd 


A;FP  0  :  1 


tpe.unit 


Natural  Numbers 


A;FPF:nat 

- tpe_z  - tpe_s 

A;FPz:nat  A;FPs^:nat 


A;  F  P  £^1  :  nat  A;  F  P  F2  :  A  A;  (F,  x:nat)  P  £^3  :  A 
A;  F  P  (case  Ei  of  z  E2  I  s  a;  E3)  :  A 


tpe_case 


Recursion 


A;F,x:AP£;:  A 
A:  F  P  fix  a::A.  E  :  A 


tpe-fix 
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As  before,  there  is  only  one  rule  which  introduces  variables  into  the  modal  context  (here  called 

tpeJet_box). 

3.3  Operational  Semantics 

The  Mini-ML  fragment  of  our  system  has  a  standard  eall-by-value  operational  semantics.  For  the 
modal  part,  we  represent  code  for  E  simply  by  box  making  the  lecist  commitment  concerning 
lower-level  implementations. 

Values  V  ::=  Ax:A.  F"  |  (Vi,  F2)  |  ( )  |  z  |  s  V  |  box  E 

We  evaluate  let  box  x  =  Fi  in  E2  by  substituting  the  code  generated  by  evaluating  Ei  for  x  in  E2 
and  then  evaluating  E2.  The  code  generated  by  Fj  may  then  be  evaluated  during  the  evaluation  of 
F2  as  necessary.  On  the  A-calculus  and  modal  fragments  our  semantics  corresponds  to  a  reduction 
strategy  for  A^°. 

E  '^V  Expression  F  evaluates  to  value  V. 

Functions 


Xx:A.  E  Xx:A.  E 


evJam 


Fj  Ax.  F( 


F2  V2 


Fj  F2  y 


[V2/x]e[  y 

- ev_app 


Code 


Products 


box  F  box  F 


ev_box 


Fi  -4  box  E[  [E[/u]E2  ^  y2 
let  box  u  =  Fi  in  F2  y2 


evJet_box 


Fi-^yi 


F2  V2 


(Fi,F2)-^(yi,y2) 


ev_pair 


g-^(yi,y2) 

fst  F  yi 


ev_fst 


E-^{VuV2) 
snd  E  ^V2 


ev_snd 


0-^0 


ev.unit 
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Natural  Numbers 


E^V 

- -  ev^  - ev-s 

z  s  E  ^  sV 

Ei^  z  E2^V 

— - ev^case_z 

(case  E’l  of  z  £^2  I  s  E^)  ^  V 

El  ^  s  Vl  [VI/x]E3  ^  V 

- ev_case^ 

(case  E’l  of  z  £^2  \  s  x  £’3)  V 


Recursion 


[Akx.  E/x]E^V 
fix  X,  E  ^  V 


evJix 


The  structural  and  substitution  properties  for  extend  to  Mini-ML°  in  a  completely  straight¬ 
forward  way,  and  we  will  make  use  of  it  below.  We  restate  only  the  substitution  lemma. 

Lemma  7  (Substitution) 

L  // A;  r  P  £1  :  A  and  A;  (T,  x:A,  T')  P  £2  :  £  then  A;  (T,  T')  P  [£i/a;]£2  :  £. 

2.  // A;  •  P  £1  :  A  and  (A,  u:A,  A');  T  P  £2  :  £  then  (A,  A');  F  P  [£i/n]£2  :  £. 

Proof;  By  straightforward  inductions  on  the  typing  derivations  for  £2.  □ 

Theorem  8  (Determinacy  and  Type  Preservation) 

1.  If  E  ^  V  then  V  is  a  value. 

2.  If  E  and  E  then  V  =  V  (modulo  renaming  of  bound  variables). 

3.  //£  -^  y  and  s  •  p  £  :  A  then  •  P  F  :  A. 


Proof:  By  inductions  over  the  structure  of  the  derivation  P  of  £  ^  F.  The  cases  for  the  non- 
modal  part  are  completely  standard.  The  cases  for  ev-box  are  trivial  and  those  for  evJet_box  are 
straightforward  for  value  soundness  and  determinacy.  We  thus  show  only  the  evJet_box  case  in  the 
proof  of  type  preservation. 

Case: 

Pi  P2 

2)  ~  £1  box  £^  [^1/ '^]£2  ^2 

- evJet^box 

let  box  =  £1  in  £2  V2 


•  P  £1  :  □£  and 
u:A]  •  P  £2  :  A 

•;  •  P  box  E[  :  □£ 

•  P  £i  :  £ 
.;-P[£iA]£2:  A 

•  P  ^2  :  A 


by  inversion 
by  ind.  hyp. 
by  inversion 
by  substitution  lemma 
by  ind.  hyp. 
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□ 

Since  our  semantics  for  Mini-ML°  is  a  the  natural  extension  of  a  reduction  strategy  for 
the  staging  correctness  results  in  Section  2  carry  over  to  Mini-ML°.  We  now  briefly  discuss  *the 
staging  captured  in  Mini-ML°  in  informal  terms. 

Suppose  that  •  P  £1  :  DA  and  £'.  ‘-4  V.  By  value  soundness  and  type  preservation  we  have 
^  —  box  E  .  Thus  the  result  consists  only  of  residual  code  to  be  executed  in  the  next  stage. 
Further,  by  the  modal  restrictions,  only  terms  enclosed  by  box  constructors  are  ever  substituted 
into  other  box  constructors.  As  a  result,  the  parts  of  the  original  program  E  not  enclosed  by  any 
box  constructor  can  be  designated  eliminable  (static)  since  they  will  not  appear  in  the  residual 
code  E'. 

Further,  the  body  of  a  box  constructor  can  be  considered  persistent  (dynamic)  in  the  sense  that 
we  do  not  evaluate  underneath  the  box  constructor.  The  only  way  for  evaluation  to  proceed  to  the 
body  of  the  box  constructor  is  by  using  the  variable  bound  by  a  let  box  elimination  construct  to 
indicate  where  the  delayed  computation  should  be  performed. 

3.4  Example:  The  Power  Function  in  Explicit  Form 

We  now  define  the  power  function  in  Mini-ML°  in  such  a  way  that  it  has  type  nat  -)•  □(nat  -4  nat), 

assuming  a  closed  term  timesrnat  — >■  nat  — >•  nat  (definable  in  the  Mini-ML  fragment  in  the  standard 
way). 


power  =  fix  p:nat  -4  □(nat  -4  nat). 

Ararnat.  case  n 

of  z  box  (Aa::nat.  s  z) 

I  s  m=^  let  box  q  =  p  min 

box  (Aa;:nat.  times  x  [q  x)) 

The  type  nat  -4  □(nat  — >  nat)  expresses  that  power  evaluates  everything  that  depends  on  the 
first  argument  of  type  nat  (the  exponent)  and  returns  residual  code  of  type  □(nat  nat).  Indeed, 
we  calculate  with  our  operational  semantics: 

power  z  box  (Ax:nat.  s  z) 
power  (s  z)  box  (Ax:nat.  times  x  ((Axrnat.  s  z)x)) 
power  (s  (s  z))  M-  box  (Aa;:nat.  times  x 

((Aa;:nat.  times  x  ((Aa::nat.  s  z)x))x)) 

Modulo  some  trivial  redices  of  variables  for  variables,  this  is  the  result  we  would  expect  from  the 
partial  evaluation  of  the  power  function. 

3.5  Implementation  Issues 

The  operational  semantics  of  Mini-ML°  may  be  implemented  by  a  translation  into  pure  Mini-ML, 
by  the  mapping: 

□A  t-4  1-^A 

box  E  1-4  Aa::l.  E  (where  x  not  free  in  £) 
let  box  u  —  E\in  E2  •-4  (Aa::l  —4  A.  [a;  (  )/m]£2)  £1  (where  x  not  in  free  £2) 

It  may  then  appear  that  the  modal  fragment  of  Mini-ML°  is  redundant.  Note,  however,  that 
the  type  1  4  A  does  not  express  any  binding-time  properties,  while  □A  does.  It  is  precisely  this 
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distinction  which  makes  Mini-ML°  interesting:  The  type  checker  will  reject  programs  which  may 
execute  correctly,  but  for  which  the  desired  binding-time  separation  is  violated.  Without  the  modal 
operator,  this  property  cannot  be  expressed  and  consequently  not  checked. 

A  more  efficient  implementation  method  would  be  to  interpret  OA  as  a  datatype  representing 
code  that  calculates  a  value  of  type  A.  The  representation  must  support  substitution  of  one 
code  fragment  into' another,  as  requited  by  the  ’evJet_box  rule.'  ^f  the  code  is  machine  code,  this 
naturally  leads  to  the  idea  of  templates,  as  used  in  run-time  code  generation  (see  [KEH93]).  For 
many  applications  this  code  would  instead  be  source  expressions  or  some  intermediate  language, 
thus  allowing  optimization  after  code  substitution,  as  in  partial  evaluation  [JGS93].  In  our  own 
experiments  in  run-time  code  generation  [WLPD98,  WLP98],  following  ideas  in  [LL94,  LL96], 
expressions  of  type  DA  are  compiled  into  generating  extensions  which  emit  machine  code  at  run¬ 
time  and  then  jump  to  it  to  effect  evaluation.  References  to  free  code  variables  then  represent  calls 
from  one  generator  to  another. 

4  A  Kripke-Style  Modal  A-Calculus 

The  modal  logic  in  Section  2  was  motivated  by  the  goal  to  capture  validity.  A  valid  proposition  is 
one  with  a  closed  proof  term,  and  closed  proof  terms  correspond  to  code  which  can  be  explicitly 
manipulated  and  safely  evaluated. 

In  this  section  we  construct  a  modal  logic  based  on  Kripke’s  multiple-world  interpretation  of 
modal  logic  [Kri63].  A  world  corresponds  to  a  stage  of  computation  during  evaluation.  A  value 
computed  at  a  given  stage  of  computation  is  available  in  all  accessible  stages,  according  to  the 
accessibility  relation  between  worlds  of  the  Kripke  semantics.  Subtly  different  modal  logics  arise, 
depending  on  the  properties  of  the  accessibility  relation  between  worlds.  They  are  captured  by 
structural  rules  built  into  the  elimination  rule  for  necessity  (□£).  In  its  most  general  form,  we 
exactly  capture  validity  and  thereby  the  intuitionistic  modal  logic  S4  presented  in  Section  2. 

Our  rules  constitute  a  simplification  of  the  system  in  [PW95]  and  [DP96].  In  particular  we 
have  replaced  the  structural  rule  pop  by  a  more  general  form  of  elimination  which  can  be  motivated 
from  the  perspective  of  pure  natural  deduction. 

We  prove  the  correctness  of  our  system  by  relating  it  to  the  natural  deduction  system  for  S4 
presented  in  Section  2  via  two  translations  between  proof  terms.  In  Section  5  we  extend  this 
formulation  of  modal  logic  to  Mini-ML°,  which  leads  to  a  staged  programming  style  akin  to  Lisp’s 
quasiquote,  unquote,  and  eval.  Instead  of  giving  a  direct  operational  semantics  for  this  language 
we  present  a  type  preserving  compilation  to  the  explicit  language  from  Section  3.  We  give  an 
embedding  of  a  two-level  language  [NN92]  into  our  language  in  Section  6. 

4.1  A  Kripke-Style  Natural  Deduction  System 

In  Kripke’s  interpretation  of  modal  logic,  the  truth  of  a  proposition  is  relativized  to  a  world.  Modal 
operators  allow  us  to  reason  about  the  truth  of  a  proposition  in  all  worlds  accessible  from  the  current 
world.  Imposing  laws  on  the  accessibility  relation  between  worlds  (such  as  reflexivity,  transitivity, 
or  symmetry)  leads  to  different  modal  logics.  A  world  in  the  sense  of  Kripke  is  represented  by 
a  context  of  hypotheses  containing  propositions  we  know  to  be  true  in  this  world.  Based  on  this 
intuition,  our  main  judgment  has  the  form 

ri;r2;...;r,PA 
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which  expresses  that  A  is  true  in  the  current  world  r„.  Furthermore,  Fi  represents  hypotheses  true 
in  some  initial  world,  r2  represents  the  hypotheses  true  in  an  arbitrary  world  reachable  from  Fi, 
and  so  on. 

From  the  functional  point  of  view,  Fj  binds  variables  available  at  stage  i  of  the  computation, 
where  the  proof  term  assigned  to  A  may  be  executed  at  stage  n.  We  refer  to  Fi; . .  .;Fn  as  the 
world  stack  or  context  stack  since 'worlds  are  related  to  contexts  by  the  Curry-Howard  isomorphism. 
Note  that  there  will  always  be  at  least  one  context  in  the  context  stack:  the  current  world.  We 
abbreviate  (a  possibly  empty)  context  stack  by  \P. 

As  in  Section  2  we  now  systematically  develop  a  system  of  natural  deduction  for  this  judgment 
which  includes  proof  terms.  First,  only  the  hypotheses  in  the  current  world  are  available  to  derive 
the  conclusion.. 


x:A  in  F 
- var 

F  P  a;  :  A 

The  substitution  principle  applies  to  arbitrary  worlds,  as  long  as  we  establish  truth  in  the 
appropriate  world. 

Substitution  Principle 

//^;  F  P  Ml  :  A  and  (F,  a;:A,  F');  -a-'  P  M2  :  C  then  (F,  F');  P  [Mi/a:]M2  :  C. 

In  the  special  case  that  is  empty,  the  current  worlds  in  both  given  derivations  coincide.  We 

will  formally  demonstrate  this  property  of  the  system  later. 

There  are  two  kinds  of  structural  properties.  First,  we  have  exchange,  weakening  and  contraction 
within  each  world  in  the  world  stack.  We  will  not  formally  restate  this.  Second,  depending  on  the 
properties  of  the  accessibility  relation,  we  might  have  some  structural  properties  on  the  world  stack. 
In  K  we  have  none.  If  we  add  reflexivity  of  the  accessibility  relation,  we  reason  as  follows:  If  we 
have  a  jugdment 

F;  F';  'i''  P  M  :  C 

then  F'  contains  hypotheses  assumed  to  be  true  in  an  arbitrary  world  accessible  from  F.  But  F 
itself  is  accessible  from  F  (by  reflexivity),  so  C  should  still  be  true  if  we  join  F  and  F'. 

’®’;(F,F0;’*''P  M':C 

Whether  M'  is  different  from  M  depends  on  how  much  information  is  present  in  the  term  itself,  as 
we  shall  see  later.  We  refer  to  this  as  modal  fusion. 

For  example,  omitting  proof  terms,  we  read  the  judgment 

□  (A^B);APB 


as 


IfO{A^  B)  is  true  in  some  world  Wi  and  A  is  true  in  an  arbitrary  world  W2  reachable 
from  wij  then  B  is  true  in  W2^ 

If  we  assuine  reflexivity  of  the  accessibility  relation,  we  know  that  wi  is  accessible  from  wi^  so  we 
can  infer  from  the  above  by  replacing  W2  with  wi : 

B)  is  true  in  wi  and  A  is  true  in  wi  then  B  is  true  in  wi. 
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In  symbolic  form,  we  write  this  as 


which  is  exactly  the  result  of  fusion  applied  to  the  first  judgment. 

Next  we  add  transitivity.  Consider  once  again 

$;r;r';^'P  M  :  C. 

Then  if  we  add  an  arbitrary  world  accessible  from  F  from  which  F'  can  be  reached,  the  judgment 
should  continue  to  hold,  because  F'  is  still  accessible  from  F  by  transitivity. 

^;F;sF';  P  M' :  C 

Again,  M'  may  be  identical  to  M  or  it  can  be  directly  created  from  M,  depending  how  much 
information  we  represent  in  proof  terms.  We  refer  to  this  property  as  modal  weakening.  Note  that 
by  ordinary  weakening,  the  new  interposed  world  may  also  contain  arbitrary  assumptions  without 
invalidating  the  judgment. 

Now  we  define  the  connectives  via  their  introduction  and  elimination  rules.  Implication  only 
affects  the  current  world  and  is  similar  to  what  we  have  presented  in  Section  2. 

^;{T,x:A)  PM:5 

- >  I 

Xx:A,M  :A-^B 

M  :  A-^  B  ^;FP  ATiA 
- ^ E 

W;FPMiV:B 

Local  soundness  and  completeness  also  works  as  before.  The  corresponding  operations  on  proof 
terms  are  the  familiar  ^-reduction  and  77-expansion. 

Recall  that  OA  should  be  true  in  the  current  world  if  A  is  true  in  every  reachable  world.  Since 
we  have  no  information  about  the  reachable  worlds,  we  have  no  hypotheses  about  the  truth  of 
propositions  in  this  world.  Hence  the  introduction  rule  reads 

^;F;-PM:A 

- □! 

^;FPboxM:nA 

The  corresponding  elimination  rule  states  that  if  OA  is  true  in  the  current  world,  A  must  be 
true  in  every  reachable  world.  Which  worlds  are  reachable  depends,  of  course,  on  the  accessibility 
relation  for  the  modal  logic  under  consideration.  In  its  most  general  form  (S4),  the  elimination  rule 
reads 

^;FPM:aA 

- : - DE 

F;  Fi; . . . ;  F^  P  unbox^  M  :  A 

Note  that  Fi  is  always  accessible  from  F,  so  in  K  we  only  have  unboxi.  The  worlds  F2,...,rn 
are  accessible  from  F  only  because  of  transitivity,  so  in  modal  logic  with  transitivity  we  also  have 
unboxyj,  for  77  >  1.  F  is  accessible  from  itself  in  a  modal  logic  whose  accessibility  relation  is  reflexive, 
so  there  we  also  have  unboxo- 

Next  we  consider  local  soundness  and  completeness  of  the  rules  for  the  modal  operator.  Recall 
that  soundness  requires  that  an  introduction  rule  followed  by  an  elimination  rule  can  be  reduced 
to  a  direct  derivation  of  the  judgment. 
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V 

^;r;-PM:  A 

- ^ - □! 

r  P  box  M  :  DA 

- ^ - —  DE 

FiFi; . . .;  r„  P  unbox„  (box  M)  :  A 

where  V  and  M'  exist  by  the  structural  properties  of  world  stacks  (modal  fusion  in  the  case  that 
n  —  0,  ordinary  weakening  in  the  case  the  n  =  1,  and  ordinary  weakening  and  n  —  1  applications 
of  modal  weakening  in  the  case  that  n  >  1). 

Local  completeness  is  a  bit  simpler.  We  have  the  following  ?/-expansion: 

V 

•  ^ — - DE 

’4';  F  P  M  :  DA  'i';  F;  •  P  unboxi  M  :  A 

- : - —  □! 

’S';  F  P  box  (unboxi  M)  :  DA 

We  postpone  a  more  formal  discussion  of  the  rules  for  /3-reduction  and  77-expansion  on  terms  to 
Section  4.4. 

There  are  two  simple  and  consistent  variations  on  this  system. 

The  first  arises  from  an  analysis  of  local  completeness:  one  can  see  that  only  unboxx  is  nec¬ 
essary.  The  others  (which  are  locally  sound!)  have  been  incorporated  so  that  we  need  no  explicit 
structural  rules.  However,  unboxx  plus  explicit  rules  for  modal  fusion  and  weakening  also  make  a 
sensible  system  with  the  same  derivable  judgments.  For  our  purposes,  a  formulation  without  explicit 
structural  rules  is  preferable,  since  it  allows  more  compact  programs  and  a  simpler  meta-theory. 

In  the  second  variant  we  replace  the  constructor  unbox„  simply  by  unbox.  This  would  mean 
that  M'  =  M  in  the  local  reduction  for  □,  and  terms  remain  invariant  under  structural  transfor¬ 
mation  of  contexts.  This  more  streamlined  presentation  of  the  calculus  is  not  appropriate  for  our 
application,  since  the  the  index  77  in  a  term  unbox„M  constructor  determines  the  stage  at  which 
M  is  to  be  evaluated.  Without  the  index,  this  would  be  ambiguous  and  depend  on  the  typing 
derivation.  In  other  words,  the  system  would  not  be  coherent. 

4.2  Syntax 

We  summarize  the  syntax  of  the  pure  fragment. 

Types  A 

Terms  M 

Contexts  F 

Context  Stacks  '4' 

4.3  Natural  Deduction  Judgment 

We  summarize  the  rules  defining  the  main  judgment,  F  P  M  :  A  as  motivated  and  developed  in 
Section  4.1. 


=  A.2  \  '-‘A 

=  X  I  Xx’.A.  M  I  Ml  M2  I  box  M  |  unbox„  M 
=  •\T,x:A 
=  •l'i':F 


v 

’4';F;Fx;...;F„PM':A 
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x:A  in  F 
’a'rFP  X  :  A 


^■,(r,x:A)  PM:B 

r  P  Xx:A.  M  :  A B 


«';rPM:A^B  '®;rPA^:A 

^;rp  MN  :B 


^;r;-P  M  :  A 
$;rP  box  M:DA 


$;rp  M  :  DA 

F;  Fi; . . . ;  r„  P  unbox„  M  :  A 


4.4  Properties  of  the  Kripke-style  A-calculus 

Structural  transformations  change  the  nature  of  the  proof  term  by  relabelling  indices  to  the  unbox 
constructor.  Such  a  relabelling  is  also  necessary  to  write  out  the  rules  /^-reduction  and  77-expansion 
We  define  {ra/m}M  inductively  on  the  structure  of  M. 

{n/m}x  =  x 

{n/m}\x:A.  M  =  Xx:A.  {n/m}M 

{n/m}MiM2  =  {{n/Tn}Mi)  {{n/'m}M2) 

{n/m}hoxM  =  box  {7^/77^ -f- 1}M 

{7^/77^}unboXpM  =  unboxp  {n/m  -  p}M  for  p  <  m 

=  unboXp+„_i  M  for  p>  m 

This  operation  now  allows  us  to  state  the  substitution  and  structural  transformation  properties. 

Lemma  9  (Modal  Structural  Transformation) 

//1';Fo;Ai;---;Ato  P  M  :  A  then  'S’; Fq;  •  •  •;  (r^)  Ai);  •  •  •;  A^  P  {n/m}M  :  A. 

Proof:  By  induction  over  the  structure  of  the  given  derivation  T>  of  Fq;  Ai; . . .;  Am-  In  each 
case  except  for  OE  we  immediately  apply  the  induction  hypothesis  and  reconstruct  an  appropriate 
derivation  from  the  results.  In  the  case  of  OE  we  distinguish  two  subcases. 

Case: 


for  p  <  m.  Then 

$;ro;...;(rn,Ai); 


Toi  Ai5  •  •  • !  ^m—'p  -^1  • 

To;  Ai; . . . ;  Ayn  P  unbox^Mi  :  A 


Am^p  P  {n/m  -  p}Mi  :  nA 
Ajn  P  unboXp{n/m  —  p}Mi  :  A 
Am  P  {n/m}unboXpMi  :  A 


by  ind.  hyp. 
by  rule  DE 
by  definition  of  {n/m} 


Case: 


Vi 

V=  r;0p_^PMi:nA 

— — - - - 

;©p_to;  .  •  ^©o;  Ai; . . .  H  unboXpMi  :  -A 

for  p  >  771  where  'S'  =  . . . ;  0i  and  0o  =  Tq.  Then 

’l’';0p_m;...;0o;ri;...;(r„,  Ai);...Ato  P  unboXp+„_iMi  :  A  by  rule  DE  applied  to  Pi 

(r„,  Ai); . . A^  P  {n/  m}niihoXpMi  :  A  by  definition  of  0o  and  {n/m}. 

□ 

The  system  also  satisfies  the  usual  structural  properties  of  exchange,  weakening  and  contraction 
in  each  of  the  contexts  in  the  context  stack.  We  only  state  the  substitution  property  formally. 

Lemma  10  (Substitution) 

If r  P  Ml  :  ^  and  I';  (F,  x:A,  F');  P  M2  :  C  then  (F,  F');  P  [Mi/a;]M2  :  C. 

Proof:  By  induction  over  the  structure  of  the  derivation  of  (F,  x:A,  F');  P  M2  :  C.  □ 

Then  we  have  the  rules  of  /?-reduction  and  77-expansion,  corresponding  to  local  reduction  and 
expansion  in  natural  deduction. 

[N/x]M 
\x:A\.  M X 
{n/l}M 

box  (unboxi  M) 

Theorem  11  (Subject  Reduction  and  Expansion) 

1.  7/^;  F  P  M  :  A  and  M  ^  M'  then  F  P  M'  :  A. 

2.  M  :  A  and  M  :  A>-^  M'  then  ’5’;  F  P  M' :  A 

Proof:  In  each  case  we  apply  inversion  to  the  given  typing  derivation.  For  subject  reduction 
we  then  either  use  modal  structural  transformation  (Lemma  9)  or  substitution  (Lemma  10).  For 
subject  expansion  we  directly  construct  a  derivation  of  the  conclusion,  using  weakening  if  necessary. 
□ 

4.5  Environments  and  Environment  Stacks 

In  order  to  prove  that  the  explicit  and  implicit  formulations  of  S4  correspond,  we  need  to  de¬ 
velop  some  properties  of  environments  and  environment  stacks.  Roughly,  an  environment  provides 
definitions  for  the  modal  variables  available  at  a  particular  stage  of  the  computation,  while  an 
environment  stack  extends  this  to  all  stages  of  a  computation. 

We  define  environments  and  stacks  which  bind  patterns  of  the  form  box  u  to  explicit  terms  E. 

Environments  p  •  |  p,  box  u  =  E 

Environment  Stacks  R  ::=  Q\R\p 


{\x:A.  M)  N 
A7  ;  Ai  — y  A2 
unbox„  (box  M) 
M  :  DA 


n  ^ 
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The  translations  between  the  A-calculi  based  on  validity  and  multiple  worlds  require  us  to 
relate  context  pairs  A;  F  to  context  stacks  This  is  achieved  by  the  following  typing  judgments 
for  environments  and  environment  stacks.  The  latter  ties  in  the  context  stacks  of  the  implicit 
system.  We  use  0  to  range  over  modal  contexts. 

A;  r  P  p  :  0  Environment  p  matches  0  in  contexts  A  and  r  r 

'9  R  :  A  Environment  stack  R  matches  A  in  context  stack  ^ 


- tpv_empty 

A;rP  • :  • 


A;rPp:0  (A,0);rP  DA 

- tpv_bind 

A;  r  P  (p,  box  u  =  E)  :  (0,  u:A) 


- tpr_empty 

v®’  K  O  :  • 

^\^R:A  A;rPp:0 
- tpr_env 

We  will  tacitly  use  weakening  for  typing  of  environment  stacks,  which  directly  follows  from 
weakening  on  the  typing  judgment  for  the  explicit  modal  A-calculus.  We  also  need  to  use  the 
following  property. 

Lemma  12  (Environment  Extension) 

{R;  p)  :  A  and  A;  F  P  :  UA  then  F  |=?  (i?;  p,  box  u  —  E)  :  (A,  u:A), 

Proof:  By  inversion  on  the  derivation  for  {R;  p)  followed  by  a  straightforward  application  of  the 
typing  rules  for  environments  and  environment  stacks.  □ 

4,6  Translation  from  Explicit  System 

In  this  section  we  show  that  if  A  is  true  in  the  explicit  system  then  A  is  also  true  in  the  implicit 
system.  We  show  this  by  giving  a  translation  on  proof  terms.  The  difficulty  in  defining  and  proving 
the  correctness  of  this  translation  lies  in  the  relation  between  the  modal  and  ordinary  contexts  on 
the  explicit  side  and  the  context  stack  on  the  implicit  side.  This  relationship  can  be  maintained 
via  the  environment  stacks  defined  in  the  preceding  section. 

/>  >  E  M  Expression  E  translates  to  M  in  environment  stack  R;  p 

This  judgment  is  defined  by  the  following  rules. 
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X  X 


tx^ovar 


R\  p  t>  E  I — h/1 


R\p\>  Xx:A.  E  Xx:A.  M 


txJam 


R]  pt>  El  1-4“  Ml  jR;  p  o  E2  1—^  M2 

- tx_app 


R\  p  o  El  E2  • — y  Ml  M2 

R\  p]  •  t>  E  I — y  M 
R;p>  box  E  box  M 

R]  /9,  box  u  —  Ei\>  E2^  M 


tx-box 


'■  tx  Jetbox 


R\pt>  let  box  u  =  Eiin  E2^  M 
jRj  O  E  )“  M 

(Pn?  ^  =  E.PnY,  •  •  SPo  o  unbox^M 


tx-.mvar 


Theorem  13  (Translation  from  Explicit  System) 

Given  ^;r  [R^p)  :  A  anrf  A;r  K  E  :  A. 

L  There  is  a  unique  M  such  that  R;  p[>  £*  h->  M. 

2,  Whenever  R;p>  E  M  then  T  P  M  :  A. 

Proof:  Proposition  1  is  proven  by  induction  on  the  multiset  extension  of  the  subterm  ordering  of 
expressions  in  R]  p  and  E,  For  the  case  of  a  modal  variable  u  we  need  to  use  the  typing  assumption 
to  guarantee  that  tx^mvar  applies,  that  is,  that  the  environment  stack  contains  an  appropriate 
definition  of  u. 

Proposition  2  is  proven  by  induction  on  the  structure  of  the  derivation  of  R;  p  [>  E  M, 
inversion  to  the  given  typing  derivations.  In  the  case  of  modal  variables  u  we  have  an 
auxiliary  induction  on  the  world  index  n. 

We  now  show  the  proof  of  Proposition  2  in  more  detail.  We  assume  we  are  given  derivations 

V  £  T 

'®;r  |=?  (i?;p)  :  A  A;rP^:A  R;pl>Ey-^M 

We  proceed  by  induction  on  the  structure  of  T,  applying  inversion  to  the  typing  derivations  as 
needed  in  order  to  construct  a  derivation 

V 

Case: 

- tx_ovar 

R-,p>x\-^x 

by  assumption 
by  inversion 
by  rule  var 


A;r\^x:A 
x:A  in  F 
r  P  a;  :  A 
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Case; 


r  = 


% 

R]  p\>  E2  ^  ^2 


R\p\>  Xx:Ai,  E2  Xx:A\.  M2 


txJam 


Xx:Ai,E2:A 

r,  x\A\  E2  *  A2  a<nd  A  =  A\  — y  A2 
’J’;r,x:Ai  1=^  {R-,p)  :  A 
r;  x:Ai  P  M2  :  A2 
r  h  Xx:Ai,  M2  :  Ai  —y  A2 


by  assumption 
by  inversion 
by  assumption  and  weakening 
by  ind.  hyp. 
by  rule  —y  I 


Case:  tx_app  is  straightforward. 
Case: 


Ti 

R]  p]  •  [>  E\  I — y  Adi 

- tx_box 

R;p>  box  El  box  Mi 

by  assumption 
by  inversion 
by  assumption 
by  tpv_empty 
by  tpr_env 
by  ind.  hyp. 
by  □! 

Case: 


A;rPbox  Ei  :A 

A]  •  El  :  Ai  and  A  “  nAi 

'®';r|=?(i?;p):A 

A;-P-:- 

(i2;p;-):A 
T;  •  P  Ml  : 
r  P  box  Ml  :  OAi 


Ti 

■y-  _  R',P,  box  U  =  El  \>  E2  M2 

- ; - txJetbox 

R‘,p\>  let  box  u  =  El  in  E2  M2 

A;  r  P  let  box  «  =  £^i  in  £^2  :  ^ 

A;  r  P  £1  :  OAi  and 
(A,u:Ai);rP  £2  :  A 
'^;rK(i2;)o):A 

3^;  r  1=^  (i2;  p,  box  u  =  Ei)  :  A,  u:Ai 
®;rP  M2  :A 


by  assumption 

by  inversion 
by  assumption 
by  Lemma  12 
by  ind.  hyp. 


Case: 


T  = 


Ti 

Rn  \  Pn  ^  ^ 


Rn]  {Pn,  box  u  =  E',p");----,po\>u>-^  unbox„M' 


tx_mvar 
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A;rP  w  :  A 
«  :  A  in  A 

’5’;  To  |=?  Rn\  {pn,  box  u  =  e',  p");  •  •  • ;  Po  :  A  for  To  =  T  and  po  =  p 
'I' =  iTi, 

A  Af^-j-i  j  )  Oq) 

Rn  •  Ayj^i ,  and 

A„+i;  Tn  K  (p;,  box  u  =  E',  />")  :  0„ 

A„+i;  r„  P  (/>;,  box  «  =  £■'):  0^^,  and  0„  =  0^^,  u:A',  0", 

An+i;r„  P  :  0^  and 

(A„+i,0;);r„p^;':nA' 

A'  =  A 

|p  (Rn'i  p'ji)  :  A„+1,0^ 

r„  P  M' :  DA 

'^n;  r„; . .  .;ro  p  unbox^M'  :  A 


by  assumption 
by  inversion 
by  assumption 


by  inversion 

by  further  inversion 
since  m  :  A  in  A  is  unique 
by  rule  tpr.env 
by  ind.  hyp. 
by  rule  □£ 

□ 


4.7  Translation  to  Explicit  System 

To  show  that  every  proposition  judged  true  in  the  implicit  system  is  also  true  in  the  explicit 
system,  we  give  another  type-preserving  translation  on  proof  terms.  This  translation  is  the  core  of 
the  compilation  function  we  consider  in  Section  5.4.  Again,  the  difficulty  lies  mainly  in  relating  the 
context  stack  of  the  implicit  system  to  the  modal  and  ordinary  contexts  of  the  explicit  systems. 

The  translation  recursively  extracts  terms  inside  unboxn  constructors  and  binds  their  transla¬ 
tion  to  new  variables,  bound  with  a  let  box  outside  the  enclosing  box  constructor.  Variables 
thus  bound  occur  exactly  once. 

We  abstract  over  an  environment  by  means  of  nested  let  box  expressions. 

Let(-)(£’)  = 

Let(p,  box  u  =  E'){E)  =  Let  (p)  (let  box  «  =  in  E) 

We  require  a  few  straightforward  properties  of  environments,  but  we  explicitly  state  only  the  derived 
typing  rule  for  environment  abstractions. 

A;rPp:0  (A,0);rp£;:B 

- - - tpi_env 

A;rPLet(p)(£;):B 

The  merge  operation  Ri  \  R2  on  environment  stacks  appends  corresponding  environments.  We 
assume  that  the  domains  of  the  environments  in  Ri  and  R2  are  disjoint  so  that  the  resulting 
environment  stack  is  valid. 

©  I  i?2  =  R2 

Ri  I  0  =  i?i 

(Ri;pi)  I  (R2]P2)  =  {Ri  I  R2)iipi,P2) 

The  translation  is  defined  by  the  judgment 


M  R  t>  E  M  compiles  to  term  E  under  stack  R 


It  is  defined  by  the  following  rules. 


M  Rt>  E 

- tr.var  - trJam 

X  Q\>  X  Xx:A.  M  R>  Xx:A,  E 

Adi  f — y  Ri  [>  El  A/2  ’ — ^  ^2  ^  ^2 

- —  tr^app 

Adi  ^2  (-^1  I  -R2)  ^  -^1  ^2 

M^Q\>E  M^{R-,p)\>E 

- tr_boxO  - tr_boxl 

box  M  0  >  box  E  box  Ad  ^-y  R[>  Let{p) (box  E) 


Ad  R\>  E 

- ; - tr_unboxO 

unboxo  M  i->  i?  l>  let  box  u  =  E  in  u 

Ad  H-f  R  t>  E 

- tr.unboxl 

unboxn+i  Ad  i-y  R;  (box  w  =  •  \>u 

n 

The  tr^app  rule  is  restricted  to  context  stacks  Ri  and  R2  with  disjoint  domains.  This  can  always 
be  achieved  by  renaming  of  variables  in  the  derivations  of  the  two  premisses. 

Theorem  14  (Translation  to  Explicit  System) 

1,  For  any  Ad  there  exist  unique  R  and  E  such  that  Ad  R>  E, 

2.  If  Ad  i-y  R\>  E  and  F  P  M  :  A  then  for  some  A  we  have  i?  :  A  and  A;  F  K  :  A. 

Proof:  Proposition  1  is  straightforward,  since  the  translation  is  defined  structurally  on  Ad  with 
unique  results  (modulo  renaming  of  bound  variables,  of  course),  except  in  the  case  of  box  M,  where 
exactly  one  of  tr_boxO  and  tr^boxl  apply. 

Proposition  2  follows  by  induction  on  the  structure  of  the  derivation  T  of  Ad  R  \>  E,  The 
proof  requires  a  few  simple  lemmas  such  as  weakening  for  P  and  some  immediate  properties  of 
Ri  I  R2  and  Let  (/>)(£')  which  we  do  not  state  here  explicitly.  We  omit  the  cases  for  the  non-modal 
constructors,  which  are  straightforward. 


Case: 


Ti 

'Y'  ^  Adi  ^ 

- tr_boxO 

box  Ml  0  l>  box  El 

^;FP  boxMi  :A 

F;  •  P  Ml  :  Ai  and  A  =  DAi 
F  0  :  Ai  and 
Ai;  •  P  £^i  :  Ai  for  some  Ai 
Ai  =  - 

•;FP  box^;!  :  DAi 

The  last  two  lines  are  the  desired  conclusions  for  A  =  •. 


by  assumption 
by  inversion 

by  ind.  hyp. 
by  inversion 
by  tpr_empty 
by  □! 
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Case: 


Ti 

7-  _  Ml  i-f  {R;  p)  >  El 

box  Ml  i-i-  Rt>  Let(/[))(box  Ei) 

by  assumption 
by  inversion 

by  ind.  hyp. 

by  inversion 
by  rule  □! 
by  rule  tpLenv 


Case: 


;  r  P  box  Ml  :  A 
F;  •  M  Ml  :  Ai  and  A  =  nAi 
'®’;r  |=?  {R;p)  :  Ai  and 
Ai ;  •  K  jE^i  :  yli  for  some  Ai 
|=?  :  Aj  and 

Aj ;  r  P  p  :  0  and  Ai  =  A^ ,  0 
(Aj,  0); r  P  box  El  :  OAi 
Aj;  r  P  Let(p)(box  Ei)  :  OAi 

Now  we  have  the  desired  conclusions  with  A  =  Aj. 


Ti 

7"  =  Ml  i->  i?i  >  £'1 

r  ~  - — - - - - tr_unboxO 

unboxo  Ml  1-^  R>  let  box  u  =  Ei  in  u 

;  r  P  unboxo  Mi  :  A 
«’;rPMi  :nA 
’5'  |=?  i?  :  Ai  and 
Ai;  r  P  £1  :  DA  for  some  Ai 
(Ai,  w:A);r  P  w  :  A 
Ai ;  r  P  let  box  u  =  Ei  in  u  :  A 

Now  we  have  the  desired  conclusions  with  A  =  Ai. 

Case: 


by  assumption 
by  inversion 

by  ind.  hyp. 
by  rule  tpe_mvar 
by  rule  □£ 


r  = 


Ti 

Ml  R  i>  £1 


unbox„+i  Ml  I-4-  £;  (box  u='Ei) 


tr_unboxl 


n 


’9?;  r  P  unbox„+i  Mi  :  DA 

’9?';r'PMi  :nAand$  =  «'';r';ri;...;r„ 

'5'^  |=?  i?  :  Ai  and 

Ai;  r'  P  £1  :  DA  for  some  Ai 

Ai;  F'  P  (box  w  =  £)  :  (li :  A) 

F' |=?  (£;  box  «  =  £1)  :  (Ai,  w:A) 

®';F';Fi;...;F„  |=?  {R;hoxu  =  (Ai,m:A) 

(Ai,ti:A);F  P  u  :  A 

Now  we  have  the  desired  conclusions  for  A  =  Ai,  u:A. 


by  assumption 
by  inversion 

by  ind.  hyp. 
by  rule  tpv_bind 
by  rule  tpr.env 
by  n  applications  of  tpr_env 
by  tpe_mvar 

□ 
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5  Modal  Mini-ML:  Implicit  Formulation 

We  now  define  Mini**ML°,  an  ^‘implicit”  formulation  of  modal  Mini-ML  generalizing  the  A-calculus 
core  from  the  preceding  section.  The  main  advantage  of  this  system  over  the  explicit  language  is 
that  altering,  the  staging  of  a  computation  in  a  given  program  often  only  requires  the  insertion  or 
deletion  of  modal  constructors.  In  contrast,  Mini-ML°  requires  that  the  structure  of  the  program 
exactly  mirror  the  staging,  since  the  only  way  to  refer  to  results  from  a  previous  stage  is  via  code 
variables.  Using  let  (a  derived  form  in  our  fragment)  to  bind  code  variables  we  can  still  express 
staging  more  explicitly  in  Mini-ML  °  if  we  prefer;  it  is  now  a  matter  of  style  rather  than  a  property 
enforced  in  the  language. 

Another  motivation  for  Mini-ML °  is  that  it  can  be  directly  related  to  the  two-level  A-calculus 
(see  Section  6)  which  would  be  much  more  difficult  for  Mini-ML  °  due  to  the  different  syntactic 
structuring  required.  Further,  Mini-ML°  is  very  similar  to  the  quasi-quoting  and  eval  mechanisms 
in  LISP,  which  are  relatively  intuitive  in  practice.  We  believe  that  with  some  syntactic  sugar  along 
the  lines  of  Scheme’s  backquote  and  comma  notation  (as  in  the  regular  expression  example  in  Section 
7.3),  Mini-ML°  is  a  practical  and  theoretically  well-founded  basis  for  an  extension  of  Standard  ML. 
Indeed,  experience  with  the  two  languages  PML  [WLP98]  and  Meta-ML  [TS97,  TBS98,  MTBS99] 
indicates  that  such  languages  are  indeed  practical. 

It  may  be  helpful  to  consider  the  modal  fragment  of  the  implicit  language  to  be  a  statically  typed 
analog  to  the  quasiquote  mechanism  in  Scheme.  Then  box  corresponds  to  quasiquote  (')  and 
unboxi  to  unquote  (,).  unboxo  corresponds  to  eval.  More  generally,  unboXy^  corresponds  to  a 
generalized  unquote  which  splices  a  quoted  expression  into  a  context  with  n  levels  of  quasi-quoting. 
Note  however  that  this  analogy  can  also  sometimes  be  misleading,  and  the  actual  behavior  of  code 
is  closer  to  the  quotations  of  a  “semantically  rationalized  dialect”  of  Lisp  called  2-Lisp  [Smi84]. 

The  operational  semantics  of  the  new  system  is  given  in  terms  of  a  type-preserving  compilation 
to  Mini-ML°  which  is  a  straightforward  extension  of  the  translation  in  Section  4.7. 

For  some  applications,  such  as  emulating  the  two-level  A-calculus,  weaker  modal  logics  such  as 
K  are  sufficient,  as  described  in  Section  6.4. 

5.1  Syntax 

We  extend  the  logic  to  the  core  of  a  programming  language  as  in  Section  3. 

Types  A  ::=  nat  |  Ai  — A2  |  Ai  x  A2  |  1  |  nA 
Terms  M  x  \  \x:A.  M  |  Mi  M2 

I  box  M  I  unboxyi  M 
I  (Ml,  M2)  I  fst  M  I  sndM 

10 

I  z  I  s  M  I  (case  Mi  of  z  M2  I  s  a;  M3) 

I  fix  x:A.  M 

Contexts  F  ::=  -IF,  a;:A 

Context  Stacks  •  j  ’i’;  F 

5.2  Typing  Rules 

In  this  section  we  present  typing  rules  for  Mini-ML°  using  context  stacks.  The  typing  judgment 
has  the  form: 
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r  P  M  :  A  Term  M  has  type  A  in  local  context  T  under  stack 

Intuitively,  each  element  F'  of  the  context  stack  corresponds  to  a  computation  stage.  The 
variables  declared  in  F^  are  the  ones  whose  values  will  be  available  during  the  corresponding  eval¬ 
uation  phase.  When  we  encounter  a  term  box  M  during  typing  we  enter  a  new  evaluation  stage, 
since  M  will  be  frozen  during  evaluation  of  the  current  stage.  In  this  new  phase,  we  are  not  allowed 
to  refer  to  variables  of  the  prior  phases,  since  they  may  not  be  available  when  box  M  is  unfrozen 
using  unbox„.  Thus,  variables  may  only  be  looked  up  in  the  current  context  F  (rule  tpi_var)  which 
is  initialized  as  empty  when  we  enter  the  body  of  a  box  (rule  tpLbox).  However,  code  generated  in 
the  current  or  earlier  stages  may  be  used,  which  is  represented  by  the  rule  tpi_unbox. 

Functions 


x:A  in  F 
’®';FPx:A 

^;FP 


^;{T,x:A)^  M :  B 

tpi.var  - tpiJam 

'I’;FP  Xx:A.M:A-^B 


M:A-^B  ’5';  F  PAT:  A 
MN:B 


tpi-app 


Code 


4-;  F;  •  P  M  :  A 

- tpi_box 

^;FPboxM:nA 


F  P  M  ;  DA 

'®’;F;Fi;...;F„  P  unbox„ M  :  A 


tpLunbox 


Products 

;  F  P  Ml  :  Ai  F  P  Ms  :  A2 

- : - - - tpi_pair 

^;FP  (Mi,M2)  :  Ai  X  A2 

’^;FPM:AixA2  ^;FPM:AixA2 

- ^ - tpi.fst  - tpi_snd 

'J' ;  F  P  fst  M  :  Ai  p  P  snd  M  :  A2 


- tpi-unit 

^-iFP  0  :  1 


Natural  Numbers 


;  F  P  M  :  nat 

: - tpi_z  - tpi_s 

'®';FPz:nat  vpr;FPsM:nat 

'3?;  F  P  Ml  :  nat  F  P  M2  :  A  (F,  zrnat)  P  M3  :  A 

- : - - - - tpi-case 

^  F  P  (case  Mi  of  z  M2  I  s  a;  M3)  :  A 
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Recursion 

5^;(r,a^:A)PM:  A 

- tpi  Jix 

^;rPfixa::AM:  A 

The  reductions  and  expansions  from  Section  4  remain  valid  in  this  extended  setting,  as  do  the 
structural  rules. 

5.3  Examples  in  Implicit  Form 

We  now  show  how  we  can  define  the  power  function  in  Mini-ML°  with  a  different  syntactic  structure 
than  in  Mini-ML°,  though  still  with  type  nat  □(nat  nat). 

power  =  fix  p:nat  □(nat  nat). 

An:nat.  case  n 

of  z  box  (Aa^inat.  s  z) 

I  s  m  box  (Aa^rnat.  times  x  (unboxi  {p  m)  x)) 

As  another  example,  we  show  how  to  define  a  function  of  type  nat  Gnat  that  returns  a  box’ed 
copy  of  its  argument: 

=  fix/:nat  ->  Gnat. 

Axinat.  case  x 
of  z  box  z 

I  s  a:'  box  (s  (unboxi  (/  a:'))) 

A  similar  term  of  type  A  □  A  that  returns  a  box’ed  copy  of  its  argument  exists  exactly  when 
every  ^  in  A  is  enclosed  by  a  □.  This  justifies  the  inclusion  of  the  lift  primitive  for  base  types  in 
two~level  languages  such  as  in  [GJ91],  and  it  seems  natural  to  include  such  a  primitive  in  a  realistic 
extension  of  our  language,  as  in  [WLP98]. 

5.4  Compilation  to  Explicit  Language 

We  do  not  define  an  operational  semantics  for  Mini-ML°  directly;  instead  we  depend  upon  a 
translation  to  Mini-ML°.  This  extends  the  translation  given  in  Section  4.7  in  a  straightforward 
way.  We  prefer  this  to  a  direct  operational  semantics  on  the  implicit  language  since  the  translation 
should  be  identical  to  what  a  compiler  would  perform.  We  omit  the  obvious  rules. 

As  an  example  of  the  compilation,  it  maps  the  definition  of  power  from  Section  5.3  to  the 
one  in  Section  3.4.  Note  that  the  restructuring  achieved  by  the  compiler  is  similar  to  a  staging 
transformation  [JS86]. 

The  operational  semantics  induced  by  the  translation  is  different  from  some  obvious  ones  defined 
directly  on  Mini-ML°.  In  [MM94],  for  example,  a  simple  reduction  semantics  is  introduced  for  a 
system  similar  to  the  pure  fragment  of  our  implicit  system.  It  does  not  reflect  staging,  and  is  instead 
used  to  prove  a  Church-Rosser  theorem  and  strong  normalization  for  a  pure  modal  A-calculus.  Sim¬ 
ilarly,  in  [PW95]  an  algorithm  for  converting  pure  modal  A-terms  in  implicit  form  to  long  normal 
form  is  given  and  proven  correct.  This  algorithm  bears  no  resemblance  to  the  staged  computation 
achieved  via  Mini-ML°.  We  also  have  constructed  a  direct  operational  semantics  for  Mini-ML° 
generalizing  [Hat95]  that  does  capture  staging,  but  prefer  the  compilation  because  it  makes  op¬ 
erational  properties  more  evident.  In  particular,  proving  staging  theorems  for  Mini-ML°  directly 
would  be  much  harder  than  taking  advantage  of  the  type-preserving  compilation  and  proving  the 
properties  for  Mini-ML°. 
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6  A  Two-level  Language 

In  this  section  we  define  Mini-ML2,  ^  two-level  functional  language  very  close  to  the  one  described 
in  [NN92].  We  then  define  a  simple  translation  into  Mini-ML°  and  prove  that  binding-time  cor¬ 
rectness  in  Mini-ML2  is  equivalent  to  modal  correctness  of  the  translation  in  Mini-ML°. 

A  two-level  language  captures  staging  by  explicitly  annotating 'each  occurrence,  of  .a  term  con¬ 
structor  as  compile-time  (often  called  static)  or  run-time  (often  called  dynamic).  Traditionally, 
expression  constructors  which  can  be  evaluated  at  compile-time  are  overlined,  those  which  cannot 
be  evaluated  until  run-time  are  underlined.  The  process  of  annotating  each  term  constructor  in  an 
expression  is  called  binding-time  analysis.  Of  course,  not  every  possible  annotation  is  valid.  For 
example,  the  expression 

Aminat,  case  xofz=^z  |  sy=>sz 

is  not  binding-time  correct,  since  ^  is  not  available  until  run-time,  while  the  case  statement  is 
annotated  to  be  executed  at  compile  time,  which  is  not  possible. 

We  will  not  discuss  binding-time  analysis  in  this  paper,  only  show  how  the  resulting  two-level 
terms  are  related  to  modal  Mini-ML  in  its  multiple-world  formulation  from  Section  5. 

Our  language  differs  slightly  from  [NN92]  in  that  we  inject  all  run-time  types  into  compile-time 
types,  instead  of  just  function  types.  This  follows  [GJ91],  where  there  is  no  such  restriction.  Also, 
we  find  it  convenient  to  divide  the  variables  and  contexts  into  run-time  and  compile-time.  All  other 
differences  to  [NN92]  are  due  to  minor  differences  between  their  underlying  language  and  Mini-ML. 
Note  that  modal  Mini-ML  can  accommodate  arbitrary  levels  (not  just  two)  and  additional  term 
operations  (such  as  evaluation),  so  the  two-level  language  we  introduce  in  this  section  will  be 
embedded  into  a  relatively  modest  fragment  of  modal  Mini-ML. 

6,1  Syntax 

Run-time  Types  r  nat  |  n  r?  |  ri  ro  |  j 

Compile-time  Types  a  nat  j  ai  =f  <72  |  aj  <J2  |  T  |  r 


Terms 


e 


Run-time  Contexts  V 
Compile-time  Contexts  A 


^  I  e  I  ei  @  e2 
I  fix  ^:r.  e 

I  ?  ^2)_  I  fst  e  I  snd  e 
I  z  I  s  e 

I  (case  ei  of  z  62  I  s  ^  ^  63) 

I  y^Xy'.a.  e  \  @  €2 

I  fix  y:a.  e 

I  )  ^2  )  I  fst  e  I  snd  e 

10 

I  z  I  s  e 

I  (case  ej  of  z  62  I  s  y  63) 

•  I  r,x:r 

•  I 


As  a  simple  example  we  consider  the  two-level  version  of  the  power  function. 
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power  =  fix  p  :  nat  =F  (jt^  z±  nat) . 

An  :  nit .  case  n 

of  z  =>  ( A^:n^-  s  z) 

.  :  .  I  s  m  (Aa^rnat.  times  @  x  @  ((v@  m)  @  ar)) 

Recall  that  times  is  a  curried  function  for  multiplication  represented  as  a  closed  term  for  sim¬ 
plicity.  The  type  indicates  that  power  takes  a  natural  number  as  a  compile-time  argument  and 
computes  a  residual  run-time  function  from  nat  to  nat.  Otherwise  the  structure  is  very  similar  to 
the  power  function  in  its  implicit  formulation  from  Section  5.3.  As  we  will  see  in  Section  6.3  we  can 
translate  this  to  Mini-ML°  by  inserting  a  box  constructor  when  an  immediate  subexpression  of 
a  compile-time  term  (overlined)  is  a  run-time  term  (underlined).  Conversely,  when  a  compile-time 
term  appears  as  an  immediate  subexpression  of  a  run-time  term  we  insert  an  unboxi  constructor. 
It  is  easy  to  see  that  in  this  example  we  obtain  the  power  function  in  implicit  form,  exactly  as  in 
Section  5.3: 

pother  =  fix prnat □(nat  A  nat).  « 

An:nat.  case  n 

of  z  box  (Aa::nat.  s  z) 

I  s  m  box  (Aarinat.  times  x  (unboxi  (p  m)  ar)) 

6.2  Typing  Rules 

The  typing  rules  of  the  two-level  A-calculus  simultaneously  verify  staging  and  standard  type¬ 
correctness,  just  as  our  explicit  and  implicit  systems.  We  have  two  judgments: 

A;  r  F  e  :  r  expression  e  has  run-time  type  r 
A  F  e  :  a  expression  e  has  compile-time  type  a 

A  compile-time  expression  can  never  depend  on  a  run-time  variable.  Therefore,  compile-time  typing 
depends  only  on  a  compile-time  context.  A  run-time  expression  may  have  embedded  compile-time 
subexpressions  and  therefore  carries  compile-time  variables  (in  A)  as  well  as  run-time  variables  in 

r. 

Functions 

x:t  in  F  A;  (r,x:r2)  F  e  :  r 

- tpr.var  - tprJam 

A;rF^:r  A:  F  F  Xx:to.  e  :to  r 

A;  F  F  ei  :  T2  'T  A;  F  F  62  :  r2 

- tpr.app 

A;  F  F  Cl  @  €2  :  r 
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Products 
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Products 


A  F  Cl  :  (Ji  A  F  62  :  ^2 

- — - - tpc-pair 

A  K  (  ei,  62  )  :  CTi  <72 


A  F  6  :  <7i  X  0-2 
- - tpC.fst 

A  F  fst  6  :  <7i 


A  P  6  :  (7i  X  <72 
- - - tpc_snd 

A  P  snd  6  :  02 


AP():1 


tpc-unit 


Natural  Numbers 


- tpc-z 

A  P  z  :  nat 


A  P  6  :  nat 
A  P  s  6  :  iiit 


tpC-S 


A  P  61  :  nat  A  P  62  :  <7  A,  y  :  nat  P  63  :  cr 
- — - tpc-case 

A  P  (case  61  of  z  62  I  s  y  =>  63)  :  cr 


Recursion 


A,  y:(7  F  e  :  a  • 

- ^ - tpc  JlX 

A  P  fix  y\a,  e  :  a 


Note  that  we  remove  run-time  assumptions  at  the  down  rule,  while  in  [NN92]  this  is  done  later 
at  the  up  rule.  This  change  is  justified  since,  by  the  structure  of  their  rules,  such  assumptions  can 
never  be  used  in  the  compile-time  deduction  in  between. 


6.3  Translation  to  Implicit  Language 

The  translation  to  Mini-ML°  is  now  very  simple.  We  translate  both  run-time  and  compile-time 
Mini-ML  fragments  directly,  and  insert  □,  box  and  unboxi  to  represent  the  changes  between 
phases.  We  define  two  mutually  recursive  functions  to  do  this:  ||  •  ||  is  the  run-time  translation  and 
I  •  I  is  the  compile-time  translation.  We  overload  this  notation  by  using  it  for  types,  terms,  and 
contexts.  We  write  e  and  e  to  match  any  term  whose  top  constructor  matches  the  phase  annotation. 


Type  Translation 


||nat||  =  nat 

llri^r^ll  =  llnll -f  HI 
llrixr^li  =  llnllxihll 

mil  =  1 


|nat|  =  nat 

|(Ti=F(T2i  =  |<7i|  — ^  |(72| 
kl  ^  0-2|  =  jo^li  X  |cr2| 

|T|  =  1 

|r|  =  □||r|| 
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Term  Translation 


II ^ II  “  ^ 

||A$:r.  c||  =  Ax:||r||.  ||e|| 
I|ei®e2ll  =  l|e.||  llejH 
||flx  2.:t.  e||  =  fix  a;:||r||.  ||e 
Iliei.e2ill  =  (l|ei||,||e2||> 
||fete||  =  fst||e|| 

||snd  e||  =  snd  ||e|| 

11011  =  0 

M  =  z 

||se||  =  s  ||e|| 


\V\  =  y 

e\  =  \y\\a\.  \e\ 

1^1  ®  62!  =  |ei|  |e2| 

|fixy:(7.  e|=  flxj/:|cr|.|e 

irei^Tl  =  (hi,|e2|) 

|fst  e\  =  fst  |e| 

|snd  e|  =  snd  |e| 

101  =  0 
|z|  =  z 
|se|"=  s  |e| 


||case  ei  of  z  62  I  s  ®  eaU  = 
case  ||ei||  of  z  ||e2||  I  s  a;  ||e3|| 


lease  ei  of  z  62  I  s  y  =4>  esi  = 

case  |ei|  of  z  |e2|  I  s  y  =:^  leal 

||e||  =  unboxi  |e|  |e|  =  box  ||e|| 

Context  Translation 

MN-  l•l  =  • 

||r,x:r||  =  ||r||,  a;:||r||  .  |A,  yraj  =  |A|,  y:|CT| 

6.4  Equivalence  of  Binding  Time  Correctness  and  Modal  Correctness 

In  this  section  we  show  that  binding-time  correctness  is  equivalent  to  modal  correctness  of  the 
translation  to  Mini-ML°.  Note  that  even  though  we  use  A  and  F  to  denote  contexts,  the  implicit 
language  Mini-ML°  employs  context  stacks,  where  •;  Fi; . . . ;  Fn  is  abbreviated  as  Fi; . . . ; F„. 

Theorem  15  (Conservative  Embedding) 

1.  If\\e\\  =  M  then: 

(a)  i/A;F  K  e  :  r  then  |A|;  ||F||  P  M  :  ||r||; 

(b)  if  |A|;  ||F||  P  M  :  4  then  |A|;  ||F||  Kerr  with  ||r||  =  A. 

2.  If\e\  —  M  then: 

(a)  if  A  Kero-  then  |A|  P  M  r  |o-|; 

(b)  if  |A|  P  M  r  A  then  A  K  e  r  o  with  |<t|  =  A. 

Proof:  By  simultaneous  induction  on  the  definitions  of  ||e||  and  |e|.  Note  that  we  can  take  advan¬ 
tage  of  strong  inversion  properties,  since  we  have  exactly  one  typing  rule  for  each  term  constructor 
in  Mini-ML°  and  Mini-ML2,  plus  the  up  and  down  rules  to  connect  the  K  and  K  judgments. 

We  only  show  the  two  cases  involving  the  up  and  down  rules  since  all  others  are  easy. 


37 


Case:  ||e||  =  unboxi  |e|,  part  la. 

A;rFe  :r 
A  P  e  :  T 
|A|  P  |e|  :  □||r|| 

jAj;||r||  P  unboxi  |e|  :  ||r||  .  ^ 

Case:  ||e||  =  unboxi  |e|,  part  lb. 

|A|;  ||r||  P  unboxi  \e\  :  ||r|| 

|A|  P  |ei  :  □llrll 
A  P  e  :  r 
A; r  F  €  :  r 


assumption 
by  inversion  (rule  down) 
by  i.h.  2a 
by  rule  tpi_unbox 


assumption 
by  inversion  (rule  tpi^unbox) 
by  i.h.  2b 
by  rule  down 


Case:  |e|  =  box  ||e||,  part  2a. 

A  P  e  :  r 
A;  •  F  e  :  r 
|A1;-P||e||:|ir|| 

|A|  P  box  ||e||  :  □||'r|| 

Case:  |e|  =  box  ||e||,  part  2b. 

|Ai  P  box  ||e||  :  nUrll 
|A1;-Fl|e||:||r|| 

A;  •  F  e  :  r 
A  F  e  :  r 


assumption 
by  inversion  (rule  up) 
by  i.h.  la 
by  rule  tpi_box 


assumption 
by  inversion  (rule  tpi_box) 
by  i.h.  lb 
by  rule  up 

□ 


The  translation  and  proof  can  be  easily  generalized  from  a  two-level  language  to  a  B-level 
language  [NN92]  with  an  infinite  linear  ordering.  In  this  case  the  image  of  the  translation  on 
well- typed  terms  is  exactly  the  fragment  Mini-ML^-,  where  unbox^  is  restricted  to  n  =  1.  This 
fragment  corresponds  to  a  weaker  modal  logic,  K,  in  which  we  drop  the  assumption  in  S4  that  the 
accessibility  relation  is  reflexive  and  transitive  [MM94],  and  which  we  discussed  briefly  in  Section  2. 
Thus  a  corollary  of  the  generalized  theorem  is  that  Mini-ML^^  is  equivalent  to  an  infinite  linear 
B-level  language,  since  the  translation  is  then  a  bijection  which  preserves  correctness  of  typing. 


7  Examples 

We  now  present  some  standard  examples  from  partial  evaluation  to  illustrate  the  expressiveness 
of  our  language  Mini-ML°.  We  use  let  x  =  Ei  in  E2  to  introduce  (non-polymorphic)  top-level 
definitions;  it  may  be  considered  syntactic  sugar  for  (Aa::A.  E2)  i?i. 
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7.1  Ackermann’s  Function 

We  now  present  a  program  for  calculating  Ackermann’s  function  that  specializes  to  the  first  argu¬ 
ment.  It  is  based  on  the  following  program: 

fix  ackerimt  nat  nat. 

Amrnat.  case  m 
of  z  An:nat.  sn 
I  s  m'=^  An:nat.  case  n 

of  z  acker  m!  (s  z) 

I  s  acker  vn!  (acker  m  n') 

Now,  if  we  attempt  to  directly  insert  the  modal  constructors  to  divide  this  program  into  two 
stages,  we  get  the  following; 

fix  acker\m\  □(nat  nat). 

Am:nat.  case  m 
of  z  box  (An:nat.  sn) 

I  s  m'=>  box  (An:nat.  case  n 

of  z  (unboxi  {acker  m'))  (s  z) 

I  sn'=^(unboxi  (acfcer  m'))((unboxi(acA;er  m))n')) 

Unfortunately,  when  applied  to  the  first  argument,  this  function  generally  will  not  terminate. 
This  is  a  common  problem  in  partial  evaluation,  and  the  usual  solution  is  to  employ  memoization 
during  specialization,  which  works  for  many  programs.  Here  we  will  simply  note  that  the  problem 
in  this  case  is  a  recursive  call  to  acker  m  while  calculating  acker  m,  which  can  be  removed  by 
adding  an  additional  fixpoint  as  follows. 

fix  ackerinat  — >  □(nat  nat). 

Amrnat.  case  m 
of  z  box  (An:nat.  s  n) 

I  s  m'=^  box  (fix  ackm.  An:nat. 
case  n 

of  z  ^  (unboxi  {acker  m'))  (s  z) 

I  s  n'^  (unboxi  {acker  m'))  {ackm  n')) 

This  function  will  always  terminate.  The  recursive  applications  appearing  inside  unboxi  con¬ 
structors  are  evaluated  when  the  first  argument  is  given.  The  compilation  of  this  function  to 
Mini-ML°  makes  this  more  explicit: 

fix  acker-.nat  □(nat  — ^  nat). 

Am:nat.  case  m 

of  z  box  (Anrnat.  s  n) 

I  sm'=^  let  box  /  =  acker  m'  in 
let  box  g  =  acker  m'  in 
box  (fix  ackm.  Anrnat. 

case  n  of  z  /  (s  z) 

I  s  n'=^  g  {ackm  n')) 

Notice  that  acker  m'  is  unnecessarily  calculated  twice.  This  would  be  avoided  if  memoization 
was  employed  during  the  compilation  or  if  we  had  explicitly  bound  a  variable  to  the  result  of  this 
computation. 
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7,2  Inner  Products 


In  [GJ95]  the  calculation  of  inner  products  is  given  as  an  example  of  a  program  with  more  than 
two  phases.  We  now  show  how  this  example  can  be  coded  in  Mini-ML°.  We  assume  a  data  type 
vector  in  the  example,  along  with  a  function  subinst  — vector  nat  to  access  the  elements  of  a 

vector. 

Then,  the  inner  product  example  without  staging  is  expressed  in  Mini-ML  as  follows: 

fix  ipinat  vector  vector  nat. 

An:nat.  case  n 

of  z  =>  Auivector.  Au;:vector.  z 
I  s  At;:vector.  Att;:vector. 

plus  {times  {sub  n  u)  {sub  n  w)) 

{ip  n'  V  w) 

We  add  in  □,  box  and  unbox*  to  obtain  a  function  with  three  computation  stages  which  is 
shown  in  Figure  1.  We  assume  a  function  /(/^nat  defined  earlier  and  a  function  sub^imt  □(vector  — >  nat) 
which  is  a  specializing  version  of  sub^  that  perhaps  precomputes  some  pointer  arithmetic  based  on 
the  array  index.  We  first  define  a  staged  version  times^  of  times  which  avoids  the  multiplication  in 
the  specialization  if  the  first  argument  is  zero.  This  will  speed  up  application  of  iprod^  to  its  third 
argument,  particularly  in  the  case  that  the  second  argument  is  a  sparse  vector. 


let  ^imes':G(nat -4  □(nat nat))  = 
box  (Am:nat.  case  m 

of  z  ^  box  (An:nat.  z) 

I  s  box  (Aninat.  times  n  (unboxi  {Uft^^i  ^)))) 
in  let  iprod^  =  fix  iprnat  □(vector  ~4  □(vector  -4  nat)). 

An:nat.  case  n 

ofz=^  box  (At;:vector.  box  (Aturvector.  z)) 

I  s  n'=^  box  (Aurvector.  box  (Awrvector. 

plus  (unboxi  (unboxi  ^«m€5'(unboxi  {sub^  n)  v)) 
(unbox2  {sub^  n)  w)) 

(unboxi  (unboxi  {ipn^)  v)  ly))) 
in  let  iprodS  :  vector  -4  □(vector  nat)  =  unboxo(«prod'  3) 
in  let  iprodSa  :  vector  4^  nat  =  unboxo  {iprodS  [7, 0,  9]) 
in  let  iprodSb  :  vector  4  nat  =  unboxo  {iprodS  [7,  8,  0]) 
in  . . . 


Figure  1:  Staged  code  for  inner  product. 

The  last  three  lines  show  how  to  execute  the  result  of  a  specialization  using  unboxo  (corre¬ 
sponding  to  eval  in  Lisp).  Also,  the  occurrence  of  unbox2  indicates  code  used  at  the  third  stage 
but  generated  at  the  first.  These  two  aspects  could  not  be  expressed  within  the  multi-level  language 
in  [GJ95]. 

Note  the  erasure  of  the  unbox*  and  box  constructors  in  iprod^  leaves  the  unstaged  code,  except 
that  we  used  a  different  version  of  multiplication.  The  operational  semantics  of  the  two  programs 
is  of  course  quite  different. 
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7.3  Regular  Expression  Matching 

We  now  present  a  program  for  regular  expression  matching  that  specializes  to  a  particular  regular 
expression.  We  use  the  full  Standard  ML  language,  augmented  with  our  modal  constructors.  Our 
program  is  based  on  the  non-specializing  one  in  Figure  2,  which  makes  use  of  a  continuation  function 
that  is  called  with  the  remaining  input  if  the  current  matching  succeeds.  We  assume  the  following 
datatype  declaration: 

datatype  regexp 
=  Empty 

I  Plus  of  regexp  ♦  regexp 
I  Times  of  regexp  ♦  regexp 
I  Star  of  regexp 
I  Const  of  string 

(*  val  acc  :  regexp  ->  (string  list  ->  bool)  ->  (string  list  ->  bool)  *) 
fun  acc  (Empty)  k  s  =  k  s 

I  acc  (Plus(rl,r2))  k  s  =  acc  rl  k  s  orelse 

acc  r2  k  s 

I  acc  (Times(rl,r2))  k  s  = 

acc  rl  (fn  ss  =>  acc  r2  k  ss)  s 
I  acc  (Star(r))  k  s  = 
k  s  orelse 

acc  r  (fn  ss  =>  if  s  =  ss  then  false 

else  acc  (Star(r))  k  ss)  s 
I  acc  (Const(str))  k  (x::s)  = 

(x  =  str)  andalso  k  s 
I  acc  (Const (str))  k  (nil)  =  false 

(*  val  accept  :  regexp  ->  (string  list  ~>  bool)  *) 
fun  accept  r  s  = 

acc  r  (fn  nil  =>  true  |  (x::l)  =>  false)  s 


Figure  2:  Unstaged  regular  expression  matcher 

Note  that  there  is  a  recursive  call  to  acc  (Star  (r)  )  in  the  case  for  acc  (Star  (r)  )  which  we  can 
transform  using  a  local  definition,  similar  to  the  fix  introduced  in  the  Ackermann  function  example. 
This  must  be  done  so  that  specialization  with  respect  to  the  regular  expression  terminates.  The 
resulting  code  for  this  case  is: 

I  acc  (Star(r))  k  s  = 

let  fun  accStar  k  s  = 
k  s  orelse 
acc  r 

(fn  ss  =>  if  s  =  ss  then  false 
else  accStar  k  ss) 


in 

accStar  k  s 

end 
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Then,  we  can  add  in  modal  constructors  to  get  the  staged  program  in  Figure  3  with  the  following 
types  (using  [A]  here  to  represent  □  A,  following  the  syntax  of  PML  [WLP98]) 

val  acc2  :  regexp  ->  [(string  list  ->  bool)  ->  (string  list  ->  bool)] 
val  accept2  :  regexp  ->  [string  list  ->  bool] 

These  types  indicate  that  the  required  staging  is  achieved  by  the  program.  Inserting  the  modal 
constructors  requires  breaking  up  the  function  arguments,  but  is  otherwise  relatively  straightfor¬ 
ward.  We  use  ^  for  box  and  "  for  unboxi.  More  generally,  we  suggest  using  "n  for  unbox^^. 

(*  val  acc2  :  regexp  ->  [(string  list  ->  bool)  ->  (string  list  ->  bool)]  *) 
fun  acc2  (Empty)  =  ‘  fn  k  =>  fn  s  =>  k  s 
I  acc2  (Plus(rl ,r2) )  =  '  fn  k  =>  fn  s  => 

"(acc2  rl)  k  s  orelse 
"(acc2  r2)  k  s 

I  acc2  (Times (rl,r2))  =  '  fn  k  =>  fn  s  => 

*(acc2  rl)  (fn  ss  =>  "(acc2  r2)  k  ss)  s 
I  acc2  (Star(r))  =  ‘  fn  k  =>  fn  s  => 
let  fun  acc2Star  k  s  = 
k  s  orelse 
"(acc2  r) 

(fn  ss  =>  if  s  =  ss  then  false 
else  acc2Star  k  ss) 
s 

in 

acc2Star  k  s 

end 

I  acc2  (Const (str))  =  ‘  fn  k  => 

(fn  (x: :ss)  => 

(x  =  *(lift_string  str)) 
andalso  k  ss 
I  nil  =>  false) 

(*  val  accept2  :  regexp  ->  [string  list  ~>  bool]  *) 
fun  accept2  r  =  ‘  fn  s  => 

"(acc2  r)  (fn  nil  =>  true  I  (x::l)  =>  false)  s 


Figure  3:  Modally  staged  regular  expression  matcher 

We  can  now  use  our  compilation  to  the  explicit  language  Mini-ML°  to  get  an  equivalently  staged 
program.  We  can  then  further  translate  to  a  program  in  pure  Standard  ML,  which  is  staged  in  the 
same  way,  but  without  the  modal  annotations,  as  shown  in  Figure  4.  It  is  unnecessary  to  replace 
[A]  by  unit  ->  A  in  this  case,  since  the  code  constructor  ( ‘ )  is  only  applied  to  values.  We  show 
this  program  only  to  demonstrate  the  staging  described  by  the  the  modal  annotated  program.  The 
program  in  Mini-ML°  has  the  potential  to  be  more  efficient,  since  optimized  code  can  be  generated 
by  a  sophisticated  implementation. 

8  Related  Work 

Our  modal  A^°-calculus  is  originally  based  on  the  modal  A-calculus  presented  by  Bierman  and 
de  Paiva  [BdP92]  and  used  by  Pfenning  and  Wong  [PW95],  who  call  it  the  “explicit  system”. 
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(*  val  acc3  :  regexp  ->  (string  list  ->  bool)  ->  (string  list  ->  bool)  ♦) 
fun  acc3  (Empty)  =  (fn  k  =>  fn  s  =>  k  s) 

I  acc3  (Plus(rl,r2))  = 
let  val  al  =  acc3  rl 

val  a2  =  acc3  r2 

in 

(fn  k  =>  fn  s  =>  ai  k  s  orelse  a2  k  s) 

end 

I  acc3  (Times (rl,r2))  = 
let  val  al  =  acc3  rl 

val  a2  =  acc3  r2 

in 

(fn  k  =>  fn  s  =>  al  (fn  ss  =>  a2  k  ss)  s) 

end 

I  acc3  (Star(rl))  = 
let  val  al  =  acc3  rl 
fun  acc3Star  k  s  = 
k  s  orelse 

al  (fn  ss  =>  if  s  =  ss  then  false 
else  acc3Star  k  ss) 
s 

in 

(fn  k  =>  fn  s  =>  acc2  k  s) 

end 

I  acc3  (Const (str))  = 

(fn  k  =>  (fn  (x::s)  =>  (x  =  str)  andalso  k  s 
I  nil  =>  false)) 

(*  val  accepts  :  regexp  ->  (string  list  ->  bool)  *) 
fun  accepts  r  = 

acc3  r  (fn  nil  =>  true  I  (x::l)  =>  false) 


Figure  4:  Pure  SML  staged  regular  expression  matcher 

Our  calculus  avoids  the  use  of  simultaneous  substitution  by  using  both  a  modal  context  and  an 
ordinary  one,  following  the  sequent  calculi  proposed  by  Andreoli  [And92]  for  linear  logic  and  by 
Girard  [Gir93]  for  LU.  The  result  is  similar  to  the  linear  A-calculus  formulated  by  Wadler  [Wad93]. 

The  language  Mini-ML°  is  constructed  by  combining  and  Mini-ML  [CDDK86].  The  lan¬ 
guage  Mini-ML°  is  based  on  the  “implicit”  modal  A-calculus  presented  in  [PW95],  which  uses  a 
stack  of  ordinary  contexts  rather  than  two  contexts.  Mini-ML  °  avoids  the  pop  structural  rule 
of  [PW95],  which  is  difficult  to  motivate  from  the  point  of  view  of  natural  deduction,  by  instead 
removing  contexts  from  the  stack  at  the  OE  rule.  The  compilation  from  Mini-ML°  to  Mini-ML° 
is  inspired  by  one  direction  of  the  proof  of  equivalence  between  the  two  calculi  given  in  [PW95]. 
Systems  similar  to  the  implicit  modal  A-calculus  of  [PW95]  have  been  proposed  by  Martini  and 
Masini  [MM94],  who  introduce  a  simple  reduction  semantics,  and  Bourghuis  [Bor94],  who  considers 
modal  pure  type  systems.  None  of  the  prior  work  on  modal  A-calculi  has  considered  the  relationship 
to  computation  staging. 

Partly  motivated  by  a  previous  version  of  the  current  paper  [DP96],  Goubault-Larrecq  [GL96a, 
GL96b,  GL96c,  GL97]  has  proposed  a  formulation  of  modal  A-calculi  using  explicit  substitutions. 
While  this  system  has  some  interesting  properties  as  a  calculus,  in  particular  giving  a  finer  grained 
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analysis  of  reduction  and  equality,  it  is  unclear  how  this  is  relevant  to  the  design  of  a  programming 
language  with  staging  primitives. 

Despite  some  superficial  similarities,  our  code  types  are  quite  different  from  Moggi’s  computa¬ 
tional  types  based  on  monads  [Mog89,  Mog91]  which  only  distinguish  values  from  computations 
and  do  not  allow  expression  of  stage  separation.  Moreover,  our  intended  implementation  of  code 
is  intensional^  since  we  wish  to  allow  refinements  of  our  semantics  to  optimize  code,  while  Moggi’s 
computations  are  extensional  with  evaluation  as  the  only  operation.  In  current  work  (as  yet  un¬ 
published)  we  have  been  able  to  explain  computational  types  cleanly  in  our  framework  via  a  com¬ 
bination  of  the  intuitionistic  possibility  operator  O  and  necessity.  This  follows  an  earlier  suggestion 
by  Kobayashi  [Kob97]  and  a  related  investigation  by  Benton,  Bierman  and  de  Paiva  [BBdP98]  who 
establish  a  connection  between  the  computational  A-calculus  and  lax  logic  [FM97]. 

We  have  shown  how  some  standard  examples  of  specialization  can  be  expressed  in  Mini-ML°. 
More  complicated  examples  might  require  more  advanced  techniques  to  achieve  the  desired  staging, 
such  as  the  binding-time  improvements  used  in  partial  evaluation.  Memoizing  when  generating  code 
is  another  useful  technique  used  in  partial  evaluation,  and  [WLP98]  shows  how  this  technique  can 
be  programmed  in  a  language  with  modal  types.  See  [BW93]  for  a  description  of  a  realistic  partial 
evaluator  for  Standard  ML  and  [JGS93]  for  an  overview  of  standard  techniques  and  examples  of 
partial  evaluation. 

One  possible  criticism  of  our  languages  is  that  they  only  manipulate  closed  code  during  ex¬ 
ecution,  which  restricts  the  staging  that  can  be  expressed  compared  to  the  two-level  languages 
used  in  partial  evaluation  such  as  that  proposed  by  Gomard  and  Jones  [GJ91].  This  is  solved  in 
Mini-ML°  by  A-abstracting  code  expressions  over  their  free  variables,  and  then  later  generating  an 
application  to  the  actual  variables.  This  results  in  a  number  of  variable  for  variable  /?-redices  in 
the  generated  code  in  our  examples.  Of  course,  a  lower  level  implementation  could  reduce  these 
redices  for  efficiency,  but  this  is  not  reflected  in  the  language  semantics.  From  a  practical  point  of 
view,  the  reason  for  only  treating  closed  code  is  that  we  need  to  be  able  to  evaluate  code  without 
danger  of  encountering  unbound  variables.  This  is  in  contrast  to  the  binding-time  languages  used  in 
partial  evaluation,  which  allow  manipulation  of  code  containing  free  variables,  but  do  not  support 
evaluation  of  code  as  a  construct  within  the  language.  Instead,  evaluation  of  the  result  of  partial 
evaluation  is  an  external  operation  applied  only  to  whole  programs,  the  properties  of  which  have 
been  studied  separately  by  Jones  [Jon91].  In  other  work  [Dav96],  one  of  the  present  authors  has 
shown  that  the  Q  (“next”)  operator  from  non-branching  temporal  logic  exactly  models  the  looser 
correctness  criterion  used  in  partial  evaluation.  Interestingly,  the  resulting  languages  are  unsound 
when  general  references  or  value  carrying  exceptions  are  added,  since  these  features  allow  a  code 
expression  with  free  variables  to  escape  the  binders  for  those  variables. 

Taha  and  Sheard  [TS97]  have  directly  constructed  a  language  similar  to  Mini-ML°  which  allows 
manipulation  of  code  with  free  variables  as  well  as  type-safe  evaluation,  but  their  original  design 
proved  to  be  unsound  in  that  free  variables  may  be  encountered  during  evaluation.  This  is  fixed 
in  [TBS98],  resulting  in  a  language  called  Meta-ML  which  is  sound  in  the  absence  of  references  and 
exceptions,  but  it  seems  more  operationally,  rather  than  logically  motivated.  More  recent  work  on 
Meta-ML  has  concentrated  on  an  idealized  language  [MTBS99]  and  makes  quite  direct  use  of  the 
results  in  the  previous  version  of  this  paper  [DP96]  as  well  as  [Dav96]. 

Over  the  last  few  years  there  has  been  a  lot  of  interest  in  run-time  code  generation  in  high- 
level  languages.  Engler,  Hsieh  and  Kaashoek  [EHK96]  describe  an  extension  of  the  progamming 
language  C  called  ‘C  (pronounced  “tick  C”)  which  uses  similar  mechanisms  to  Mini-ML°  to  achieve 
computation  staging.  However,  the  type  system  lacks  the  modal  restriction  on  variables,  so  it  allows 
variables  to  be  used  when  their  values  are  not  available,  which  may  result  in  incorrect  results 
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or  runtime  errors.  Consel  and  Noel  [CN96]  describe  a  system  called  Tempo  which  allows  both 
partial  evaluation  and  run-time  code  generation  for  the  C  language.  Standard  binding-time  analysis 
techniques  are  used,  along  with  separate  annotations  to  describe  where  run-time  specialization 
should  be  done.  These  annotations  roughly  correspond  to  the  unboxo  construct  in  Mini-ML°, 
while  the  annotations  resulting  from  the  binding-time  analysis  roughly  correspond  to  the  box 
and  unboxi  constructs, :  although  the  restriction'  of  MinirML^  to  closed  code  ^means  that  this 
correspondence  is  not  exact.  Leone  and  Lee  [LL94,  LL96]  describe  a  small  ML-like  language  and 
a  corresponding  implementation  called  Fabius  which  treats  curried  functions  as  run-time  code 
generators,  using  a  new  form  of  binding-time  analysis.  The  staging  achieved  is  quite  different  to 
that  obtained  using  ordinary  binding-time  analysis,  and  one  of  the  original  motivations  for  the 
current  work  was  to  allow  a  formal  characterization  of  this  staging.  Fabius  also  uses  a  very  fast 
form  of  run-time  code  generation  called  deferred  compilation. 

Deferred  compilation  has  also  recently  been  used  by  Wickline,  Lee  and  Pfenning  [WLP98]  as 
an  implementation  technique  for  a  language  based  on  Mini-ML°  called  PML  which  includes  most 
of  core  SML  and  performs  run-time  code  generation  based  on  modal  types.  The  extension  to  core 
SML  was  very  smooth  even  though  the  language  includes  polymorphism,  datatypes,  references 
and  arrays.  A  simple  compiler  for  this  language  has  been  completed,  and  work  is  continuing  on 
improved  implementations. 

9  Conclusion  and  Future  Work 

In  this  paper  we  have  proposed  a  logical  interpretation  of  binding  times  and  staged  computation 
in  terms  of  the  intuitionistic  modal  logic  S4.  We  first  presented  the  A;^°-calculus,  and  formally 
demonstrated  the  sense  in  which  it  captures  staging.  We  then  extended  this  to  the  explicit  lan¬ 
guage  Mini-ML°  (including  recursion,  natural  numbers,  and  products)  and  presented  its  natural 
operational  semantics.  We  continued  by  defining  an  implicit  language  Mini-ML°  which  might 
serve  as  the  core  for  an  extension  of  a  language  with  the  complexity  of  Standard  ML,  and  which 
is  syntactically  similar  to  both  Lisp  s  backquote  and  comma  notation,  as  well  as  the  languages 
used  in  partial  evaluation.  The  operational  semantics  of  Mini-ML*^  is  given  by  a  type-preserving 
compilation  to  Mini-ML°.  Further,  Mini-ML°  generalizes  Nielson  &  Nielson’s  two-level  functional 
language  [NN92]  which  is  demonstrated  by  a  conservative  embedding  theorem,  an  important  tech¬ 
nical  result  of  this  paper. 

Our  approach  provides  a  general,  logically  motivated  framework  for  staged  computation  that 
includes  aspects  of  both  partial  evaluation  and  run-time  code  generation.  As  such  it  allows  efficient 
code  to  be  generated  within  a  declarative  style  of  programming,  and  provides  an  automatic  check 
that  the  intended  staging  is  achieved. 

Our  investigation  remains  at  a  relatively  abstract  level,  thus  providing  a  general  framework  in 
which  various  staging  mechanisms  may  be  studied  from  a  new  point  of  view.  We  implemented  the 
original  interpreter  for  Mini-ML°  in  the  logic  programming  language  Elf  [Pfe91],  thus  allowing  us 
to  perform  small  experiments  at  this  abstract  level.  Concrete  instances  such  as  partial  evaluation, 
run-time  code  generation,  or  macro  expansion  will  require  some  additional  considerations  for  their 
effective  use  and  efficient  implementation.  The  application  to  run-time  code  generation  appears 
particularly  promising  and  is  described  in  more  detail,  including  an  extended  example,  in  work  by 
the  current  authors  in  conjunction  with  W^ickline  and  Lee  [W^LPD98].  We  hope  that  future  design 
and  implementation  work  will  lead  to  a  practical  full-scale  programming  language  with  computation 
staging  based  on  modal  types. 
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